Details
-
Improvement
-
Resolution: Unresolved
-
Neutral
-
None
-
None
-
None
Description
Context
While working on SSO epic, we found that there is a session renewal (performing session invalidate) after login and before setting new Subject into MgnlContext
The session renewal after login is a good practice for security concerns.
However, it impacts the way SSO (Pac4j implementation) using the session to store user profiles under "pac4jUserProfiles" attribute. Because it invalidates the session which having all login information which causing a logout issue - not perform global logout from the IDP.
In fact, Pac4j already has the same logic for us by default https://www.pac4j.org/docs/callback-endpoint.html#c-renewsession, from the DefaultCallbackLogic which is called by our SsoCallbackServlet
Proposed solution
Should let the LoginHandler to invalidate/renew the session, so we have to move the session invalidate into the LoginHandler itself which include our FormLogin and BasicLogin.