Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-2741

Don't remove KEYCLOAK_REMEMBERME cookie when sso session expires.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 2.4.0.CR1
    • Component/s: None
    • Labels:
      None

      Description

      When user clicks "Remember me" on login screen, we have username "hint" provided by KEYCLOAK_REMEMBERME cookie. IMO this cookie should be later deleted only when:

      • User explicitly clicked on logout and manually logout himself
      • User click on "Login" button on login screen without the rememberme checkbox checked

      IMO the KEYCLOAK_REMEMBERME cookie shouldn't be deleted when SSO cookie is expired, which is current behaviour and should be changed IMO.

      We can also add new configuration option with some good default timeout for KEYCLOAK_REMEMBERME cookie to be expired (maybe one month is sufficient? Currently the timeout of cookie is not configurable and is hardcoded to 1 year)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              stianst Stian Thorgersen
              Reporter:
              mposolda Marek Posolda
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: