diff --git a/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java b/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
index 0bda3a0..1ba484a 100755
--- a/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/WelcomeResource.java
@@ -67,7 +67,7 @@ public class WelcomeResource {
protected static final Logger logger = Logger.getLogger(WelcomeResource.class);
- private static final String KEYCLOAK_STATE_CHECKER = "KEYCLOAK_STATE_CHECKER";
+ private static final String KEYCLOAK_STATE_CHECKER = "WELCOME_STATE_CHECKER";
private boolean bootstrap;
@@ -134,6 +134,8 @@ public class WelcomeResource {
return createWelcomePage(null, "Password and confirmation doesn't match");
}
+ expireCsrfCookie();
+
ApplianceBootstrap applianceBootstrap = new ApplianceBootstrap(session);
if (applianceBootstrap.isNoMasterUser()) {
bootstrap = false;
@@ -244,10 +246,16 @@ public class WelcomeResource {
String stateChecker = Base64Url.encode(KeycloakModelUtils.generateSecret());
String cookiePath = uriInfo.getPath();
boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
- CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, -1, secureOnly, true);
+ CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, stateChecker, cookiePath, null, null, 300, secureOnly, true);
return stateChecker;
}
+ private void expireCsrfCookie() {
+ String cookiePath = uriInfo.getPath();
+ boolean secureOnly = uriInfo.getRequestUri().getScheme().equalsIgnoreCase("https");
+ CookieHelper.addCookie(KEYCLOAK_STATE_CHECKER, "", cookiePath, null, null, 0, secureOnly, true);
+ }
+
private void csrfCheck(final MultivaluedMap<String, String> formData) {
String formStateChecker = formData.getFirst("stateChecker");
Cookie cookie = headers.getCookies().get(KEYCLOAK_STATE_CHECKER);
