Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-2741

Don't remove KEYCLOAK_REMEMBERME cookie when sso session expires.

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 2.4.0.CR1
    • Component/s: None
    • Labels:
      None

      Description

      When user clicks "Remember me" on login screen, we have username "hint" provided by KEYCLOAK_REMEMBERME cookie. IMO this cookie should be later deleted only when:

      • User explicitly clicked on logout and manually logout himself
      • User click on "Login" button on login screen without the rememberme checkbox checked

      IMO the KEYCLOAK_REMEMBERME cookie shouldn't be deleted when SSO cookie is expired, which is current behaviour and should be changed IMO.

      We can also add new configuration option with some good default timeout for KEYCLOAK_REMEMBERME cookie to be expired (maybe one month is sufficient? Currently the timeout of cookie is not configurable and is hardcoded to 1 year)

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  stianst Stian Thorgersen
                  Reporter:
                  mposolda Marek Posolda
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: