I read docs today http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630
 and my understanding is that user should keep logged in after either browser restart or session expiration.
My tests shows that after session expiration (set to 1 min) I have to log in again.

Thanks,

Libor Krzy┼żanek
Principal Software Engineer
Red Hat Developers | Engineering

On Mar 31, 2016, at 3:00 PM, Marek Posolda <mposolda@redhat.com> wrote:

Followup on the issue by Libor [1] . I can confirm to see the same
behaviour in the OOTB Keycloak, like Libor described in the JIRA. In
other words, when you refresh account page (
http://localhost:8080/auth/realms/myrealm/account ) but the UserSession
referenced from KEYCLOAK_IDENTITY cookie is expired, then all cookies
including KEYCLOAK_REMEMBERME are expired too.

IMO RememberMe cookie shouldn't be expired when session is expired.
We're using the rememberMe cookie as hint for username on the login
page. So even if user returns to page after a month, I am not seeing
anything bad that rememberMe cookie is still valid and user will see
"hint" with his username on login page and rememberMe checkbox checked
even if session was expired already for a long time. IMO the only
situation when we should expire KEYCLOAK_REMEMBERME cookie is, when user
unchecks the "Remember me" checkbox on login page.

[1] https://issues.jboss.org/browse/ORG-2956

Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev