[keycloak-dev] Expected behaviour for rememberMe?

Marek Posolda mposolda at redhat.com
Mon Apr 4 03:31:53 EDT 2016


Seems there are 2 things here:

1) Username "hint" provided by KEYCLOAK_REMEMBERME cookie. IMO this 
cookie should be deleted only when:
- User explicitly clicked on logout and maually logout himself
- User click on "Login" button on login screen without the rememberme 
checkbox checked

IMO it shouldn't be deleted when SSO cookie is expired, which is current 
behaviour and should be changed IMO. In other words, I expect the 
scenario working like:
- User logged with "rememberMe" checkbox on
- User closed the browser
- After a month, user returned back to the application. His SSO session 
is expired, but KEYCLOAK_REMEMBERME cookie won't be deleted, so on login 
screen he will see the prefilled username and rememberMe checkbox 
switched to "on"


2) Persistent KEYCLOAK_IDENTITY cookie when rememberMe is switched to 
on. I can't see how it can work when session is expired as it relies on 
session in the cookie value. On the other hand, rememberMe shouldn't 
rely on "SSO Session idle timeout" IMO.  SSO IDle timeout is only 30 
minutes by default. So current behaviour is, that when user closes his 
browser, he needs to open in again and being re-authenticated only when 
he do within 30 minutes, which is bit of pointless IMO.

I would suggest to change the behaviour like this:
- When userSession is marked as rememberMe, then cleaner thread will 
take into account just "SSO Max Lifespan" timeout, but not SSO Idle timeout
- During verification of SSO cookie re-authentication and when session 
is rememberMe, we will take into account just SSO Max Lifespan of 
session, but not SSO Idle timeout
Refreshing of tokens will still take SSO Idle timeout just like now.

If we not change the behaviour like this, we should at least update 
"RememberMe" docs and tooltip to make it more clear what the behaviour 
would be in various cases.
WDYT?
Marek

On 31/03/16 16:26, Libor Krzyzanek wrote:
> I read docs today 
> http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630
>  and my understanding is that user should keep logged in after either 
> browser restart or session expiration.
> My tests shows that after session expiration (set to 1 min) I have to 
> log in again.
>
> Thanks,
>
> Libor Krzyžanek
> Principal Software Engineer
> Red Hat Developers | Engineering
>
>> On Mar 31, 2016, at 3:00 PM, Marek Posolda <mposolda at redhat.com 
>> <mailto:mposolda at redhat.com>> wrote:
>>
>> Followup on the issue by Libor [1] . I can confirm to see the same
>> behaviour in the OOTB Keycloak, like Libor described in the JIRA. In
>> other words, when you refresh account page (
>> http://localhost:8080/auth/realms/myrealm/account ) but the UserSession
>> referenced from KEYCLOAK_IDENTITY cookie is expired, then all cookies
>> including KEYCLOAK_REMEMBERME are expired too.
>>
>> IMO RememberMe cookie shouldn't be expired when session is expired.
>> We're using the rememberMe cookie as hint for username on the login
>> page. So even if user returns to page after a month, I am not seeing
>> anything bad that rememberMe cookie is still valid and user will see
>> "hint" with his username on login page and rememberMe checkbox checked
>> even if session was expired already for a long time. IMO the only
>> situation when we should expire KEYCLOAK_REMEMBERME cookie is, when user
>> unchecks the "Remember me" checkbox on login page.
>>
>> [1] https://issues.jboss.org/browse/ORG-2956
>>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160404/3e7ce2b0/attachment.html 


More information about the keycloak-dev mailing list