Re: [keycloak-dev] Cookies & RememberMe clarification

On 16.9.2014 16:15, Bill Burke wrote: > There are multiple cookies that have different purposes. The remember > me cookie might be a legacy thing that we needed prior to having a user > session. We needed a way to propagate that the user clicked "remember > me" if there was an account action that needed to take place or if OTP > was enabled. This cookie may not be needed anymore because UserSessions > are so core to what we're doing. yes, looks like it's purely legacy as it's not used for anything now. We can either remove this cookie completely (and all the code related to it) or use it for 'prefill' the login form as Stian proposed. > > We have two keycloak identity cookies. One is persistent, secure, and > HttpOnly and contains a digitally signed access token. This is used to > authenticate a user. The other identity cookie is session only, > non-persistent, can be propagated from Javascript (not HttpOnly) and is > used solely with the Keycloak.js library to determine if the user is > still logged in. (the iframe stuff). yep, I know. What I am proposing is increase lifespan of identityToken attached to KEYCLOAK_IDENTITY (AuthenticationManager.createIdentityToken) to ssoSessionMaxLifespan instead of ssoSessionIdleTimeout. As currently it could happen that you are logged-out even if your UserSession is still valid (example 1 from my first mail).