Details
-
Feature Request
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
undefined
Description
The overall idea here is that once a user authenticates, the session becomes tied to the user and will give an error if they try to use it without providing credentials for the same user on subsequent requests. For example, if they used x.509 client certs for the user "cn=cdolphy,dc=redhat" this feature would throw a error if the user was associated with a different user and if the session was currently unauthenticated, associate the session with "cn=cdolphy,dc=redhat". Once the session is associated with an identity if you try to access the session when using an unauthenticated request it would give an error.
SSO is one case where this could be useful as the HTTP session and SSO session are managed independently and come together at the request.
Binding the HTTP Session to a X509Certificate or SSLSession could have some benefits, especially to prevent dropping back to a non confidential transport and displaying data in the session.
For FORM authentication it is less useful as we load the identity from the FORM. For some cases maybe we would be better moving to the token representation of the identity for FORM authentication but where the session ID needs to be within the URL the identity would need to come from the session.