On 4 April 2016 at 10:44, Stian Thorgersen <sthorger@redhat.com> wrote:

On 4 April 2016 at 09:31, Marek Posolda <mposolda@redhat.com> wrote:
Seems there are 2 things here:

1) Username "hint" provided by KEYCLOAK_REMEMBERME cookie. IMO this cookie should be deleted only when:
- User explicitly clicked on logout and maually logout himself
- User click on "Login" button on login screen without the rememberme checkbox checked

IMO it shouldn't be deleted when SSO cookie is expired, which is current behaviour and should be changed IMO. In other words, I expect the scenario working like:
- User logged with "rememberMe" checkbox on
- User closed the browser
- After a month, user returned back to the application. His SSO session is expired, but KEYCLOAK_REMEMBERME cookie won't be deleted, so on login screen he will see the prefilled username and rememberMe checkbox switched to "on"

Create a JIRA to request remember me cookie to not be removed. However, we need some way of configuring expiration of the cookie. This would be for 2.x.

2) Persistent KEYCLOAK_IDENTITY cookie when rememberMe is switched to on. I can't see how it can work when session is expired as it relies on session in the cookie value. On the other hand, rememberMe shouldn't rely on "SSO Session idle timeout" IMO.  SSO IDle timeout is only 30 minutes by default. So current behaviour is, that when user closes his browser, he needs to open in again and being re-authenticated only when he do within 30 minutes, which is bit of pointless IMO.

I would suggest to change the behaviour like this:
- When userSession is marked as rememberMe, then cleaner thread will take into account just "SSO Max Lifespan" timeout, but not SSO Idle timeout
- During verification of SSO cookie re-authentication and when session is rememberMe, we will take into account just SSO Max Lifespan of session, but not SSO Idle timeout
Refreshing of tokens will still take SSO Idle timeout just like now.

If we not change the behaviour like this, we should at least update "RememberMe" docs and tooltip to make it more clear what the behaviour would be in various cases.

We've already discussed this and there's a JIRA requesting it (https://issues.jboss.org/browse/KEYCLOAK-1267). The default behavior should be that SSO Idle timeout is taken into account, but there should be an realm option to ignore it and only rely on SSO Max lifespan. This is also for 2.x.

Actually, thinking about this some more IMO we should either reject KEYCLOAK-1267 or add separate idle/max configuration for remember me, not just ignore. Having user sessions that doesn't take SSO Idle into account would potentially result in a large number of unused user sessions left in the system. Especially if SSO Max is large. It could be users clicked it by mistake in incognito mode, they manually cleared cookies, they re-installed the machine, etc.


On 31/03/16 16:26, Libor Krzyzanek wrote:
I read docs today http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630
 and my understanding is that user should keep logged in after either browser restart or session expiration.
My tests shows that after session expiration (set to 1 min) I have to log in again.


Libor Krzyžanek
Principal Software Engineer
Red Hat Developers | Engineering

On Mar 31, 2016, at 3:00 PM, Marek Posolda <mposolda@redhat.com> wrote:

Followup on the issue by Libor [1] . I can confirm to see the same
behaviour in the OOTB Keycloak, like Libor described in the JIRA. In
other words, when you refresh account page (
http://localhost:8080/auth/realms/myrealm/account ) but the UserSession
referenced from KEYCLOAK_IDENTITY cookie is expired, then all cookies
including KEYCLOAK_REMEMBERME are expired too.

IMO RememberMe cookie shouldn't be expired when session is expired.
We're using the rememberMe cookie as hint for username on the login
page. So even if user returns to page after a month, I am not seeing
anything bad that rememberMe cookie is still valid and user will see
"hint" with his username on login page and rememberMe checkbox checked
even if session was expired already for a long time. IMO the only
situation when we should expire KEYCLOAK_REMEMBERME cookie is, when user
unchecks the "Remember me" checkbox on login page.

[1] https://issues.jboss.org/browse/ORG-2956

keycloak-dev mailing list

keycloak-dev mailing list