The purpose of a session cookie is to prevent a user having to re-authenticate for every single request they make to a system. Why do we want to logout anyway?īefore we get into the technical details, we should step back and ask why we need to handle logout anyway? Does it matter? If you care about security and usability, then the answer should be yes. In this post I’ll tell you how we did it. Well, we’re not afraid of a bit of hard work at Forgerock, so we decided to solve that problem. You may be thinking “Great! Where do I sign?”, but there has been an Achilles’ heel with stateless that has held it back from being truly production-ready - how to handle logout. The general advice is that stateless logout is very hard or impossible. Stateless sessions are not in themselves a new concept, and there are a handful of implementations out there. Any server in the cluster can then handle any request to validate a session token locally by simply validating the signature on the JWT and checking that the token has not yet expired (using the expiry timestamp baked into the token itself). This is achieved by moving session state out of the data store and placing it directly on the client as a signed and encrypted JWT. One of the headline new features in OpenAM 13 is support for Stateless Sessions, which allow for essentially unlimited horizontal scalability of your session infrastructure.
0 Comments
Leave a Reply. |