<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">I read docs today <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630" class="">http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630<br class=""></a> and my understanding is that user should keep logged in after either browser restart or session expiration.</div><div class="">My tests shows that after session expiration (set to 1 min) I have to log in again.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class=""><div class=""><br class=""></div><div class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Libor Krzyžanek</div><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Principal Software Engineer<br class="">Red Hat Developers | Engineering</div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Mar 31, 2016, at 3:00 PM, Marek Posolda <<a href="mailto:mposolda@redhat.com" class="">mposolda@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Followup on the issue by Libor [1] . I can confirm to see the same <br class="">behaviour in the OOTB Keycloak, like Libor described in the JIRA. In <br class="">other words, when you refresh account page ( <br class=""><a href="http://localhost:8080/auth/realms/myrealm/account" class="">http://localhost:8080/auth/realms/myrealm/account</a> ) but the UserSession <br class="">referenced from KEYCLOAK_IDENTITY cookie is expired, then all cookies <br class="">including KEYCLOAK_REMEMBERME are expired too.<br class=""><br class="">IMO RememberMe cookie shouldn't be expired when session is expired. <br class="">We're using the rememberMe cookie as hint for username on the login <br class="">page. So even if user returns to page after a month, I am not seeing <br class="">anything bad that rememberMe cookie is still valid and user will see <br class="">"hint" with his username on login page and rememberMe checkbox checked <br class="">even if session was expired already for a long time. IMO the only <br class="">situation when we should expire KEYCLOAK_REMEMBERME cookie is, when user <br class="">unchecks the "Remember me" checkbox on login page.<br class=""><br class="">[1] <a href="https://issues.jboss.org/browse/ORG-2956" class="">https://issues.jboss.org/browse/ORG-2956</a><br class=""><br class="">Marek<br class="">_______________________________________________<br class="">keycloak-dev mailing list<br class=""><a href="mailto:keycloak-dev@lists.jboss.org" class="">keycloak-dev@lists.jboss.org</a><br class="">https://lists.jboss.org/mailman/listinfo/keycloak-dev<br class=""></div></div></blockquote></div><br class=""></div></div></body></html>