Store KAS session cookie on user login
Summary
Following the technical work suggested by @hfyngvason, this issue intends to Store KAS session cookie on user login and Clear the cookie on user logout.
Details:
- GitLab should store a KAS session cookie with the domain set to the KAS domain
- In the cookie, there should be an identifier that uniquely identifies this login session
- On GitLab logout, this identifier is cleared from GitLab (possibly splittable)
For the precise identifier, I was thinking we might just encrypt the current user's session ID. That way, the KAS cookie is automatically tied to the existing user session, while the encryption ensures that the actual session ID remains private between GitLab and the user.
Possibly useful reference:
- https://docs.gitlab.com/ee/development/session.html
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/controllers/sessions_controller.rb
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/auth/auth_finders.rb
- https://docs.gitlab.com/ee/api/#session-cookie
- https://docs.gitlab.com/ee/user/profile/active_sessions.html
Edited by João Alexandre Cunha