Hello,
it seems like I am facing a similar issue as this one: https://jira.camunda.com/browse/CAM-9089
The issue is marked as fixed and I am using an older Camunda Version than the one stated there.
I am using Camunda with the Keycloak Identity Provider Extension. Everything seemed to work fine in the frontend application, but I noticed a strange behaviour when logging in with 2 users in 2 Windows of the same browser:
- Window 1: Login as user A → See Tasks of user A
- Window 2: Go to the frontend App, logout as user A and login as user B
- Window 1: Refresh, now the authenticated user is user B. Logout as user B and login as user A → See tasks of user B
The tasks shown should be the ones from user A, as it is the user that shows as logged in.
I noticed if I erase the “JSESSIONID” cookie and refresh the page the tasks of user A are shown in Window 1 (without having to login again, I guess the keycloak cookies are all the application needs).
My guess is that since user A was never properly logged out in window 1 and user B is still logged in in window 2 the JSESSIONID of user B is reused when logging in again.
I am not an expert in cookies and I have the following questions:
- Is this a bug at all? Or is JSESSIONID just doing what its supposed to do by storing the last session until the user logs out?
- Is there a way of deleting the JSESSIONID cookie, and, if so, is this a good idea? Like I previously said the Keycloak Cookies seem to be all the application needs thanks to the keycloak extension.
I tried defining the session-config like follows in the camunda-web.xml file:
<session-config>
<session-timeout>1</session-timeout>
<cookie-config>
<max-age>0</max-age>
</cookie-config>
</session-config>
But this didn’t do the trick. Any sugestions?