Hi, I would like to know how Fediz "manipulates" the application's session management.
When you browse to a Fediz-protected resource (e.g. a servlet) Fediz "blocks" access, but a session is created nevertheless. Furthermore a session-cookie is produced for later reference. This suggests that a session is established between the browser of the user and Fediz. After all: the protected resource isn't reached yet so a session cannot yet be established with it. After the user has logged in at his/her IDP and return to Fediz, the session-cookie is used to establish a "session with a token" with Fediz. Somehow this same session is now used by the protected application. What is it that actually happens? Does the user have a session with Fediz, or does the user have a session with the protected resource or both? The external behaviour shows that only one session-cookie is in use. Cheers, Frank
