STCOR-869 do not store /logout as a "return-to" URL #1510
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When a session ends due to timeout, the current location is stored in order to allow the subsequent session to begin where the previous one left off. If the "session timeout" event fires more than once**, however, this could lead to the `/logout` location being stored as the "return to" location with obvious dire consequences. There are two changes here: 1. Don't allow locations beginning with `/logout` to be stored. This fixes the symptom, not the root cause, but is still worthwhile. 2. Store the session-timeout interval ID in redux, and manage that timer via a redux action. Even though this _still_ shouldn't fire more than once, if it does, this allows us to cancel the previous timer before adding the next one. This is an attempt to fix the root cause. Refs STCOR-869
|
zburke
added a commit
that referenced
this pull request
Dec 26, 2024
`setRtrFlsWarningTimeout()` now sends `rtrFlsWarningTimeout` rather than `rtrFlsTimeout`. This bug was introduced in PR #1511 (onto `keycloak-quesnelia`), which looks like a bad copy-pasta from PR #1510 (onto `keycloak-ramsons`). When RTR is correctly configured such that sessions end at a fixed (static) datestamp, this change will have no effect: the original timer will not be canceled when the tokens rotate, but it won't matter because the end-point isn't moving, meaning the original timer will remain accurate. When RTR is incorrectly configured, however, and a session's end-point is extended on rotation as in a sliding window, this change resolves a bug that would cause the session-timeout banner to display a "Time remaining: 00:00" message without actually ending the session. This occurred because the original timer would not be canceled when the tokens rotated even though a new, later end-point had been established. Refs STCOR-930
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a session ends due to timeout, the current location is stored in order to allow the subsequent session to begin where the previous one left off. If the "session timeout" event fires more than once**, however, this could lead to the
/logoutlocation being stored as the "return to" location with obvious dire consequences.There are two changes here:
/logoutto be stored. This fixes the symptom, not the root cause, but is still worthwhile.Refs STCOR-869