Followup on the issue by Libor [1] . I can
confirm to see the same
behaviour in the OOTB Keycloak, like Libor described
in the JIRA. In
other words, when you refresh account page (
http://localhost:8080/auth/realms/myrealm/account
) but the UserSession
referenced from KEYCLOAK_IDENTITY cookie is expired,
then all cookies
including KEYCLOAK_REMEMBERME are expired too.
IMO RememberMe cookie shouldn't be expired when
session is expired.
We're using the rememberMe cookie as hint for username
on the login
page. So even if user returns to page after a month, I
am not seeing
anything bad that rememberMe cookie is still valid and
user will see
"hint" with his username on login page and rememberMe
checkbox checked
even if session was expired already for a long time.
IMO the only
situation when we should expire KEYCLOAK_REMEMBERME
cookie is, when user
unchecks the "Remember me" checkbox on login page.
[1]
https://issues.jboss.org/browse/ORG-2956
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev