We are using Picketlink for a long time, and all went well. But now when we tried to upgrade Picketlink to new version 2.7.0 we faced with unusual behavior.
We expected, that the user can be able to use our services from different browsers or devices in the same time. But implementation of org.picketlink.identity.federation.web.core.SessionManager disallows us to provide such functionality, because it stores session references in the map, where key is principal.name only. Is it correct?
I think such behavior may leads to security malfunctions.
Let's imagine, I've opened two applications(SP) in the Chrome, after visiting the same applications in the Firefox I'm pressing logout in FF, all my FF's sessions are invalidated and FF redirects me to login page-it is correct. But if I press logout in the Chrome, browser will be redirected to login page, but one of my applications can be accessed without login to IDP.
We can override standard logout handler, but I think it is a fault in the Picketlink security.