[keycloak-dev] Expected behaviour for rememberMe?
Marek Posolda
mposolda at redhat.com
Mon Apr 4 08:58:15 EDT 2016
On 04/04/16 10:50, Stian Thorgersen wrote:
>
>
> On 4 April 2016 at 10:44, Stian Thorgersen <sthorger at redhat.com
> <mailto:sthorger at redhat.com>> wrote:
>
>
> On 4 April 2016 at 09:31, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> Seems there are 2 things here:
>
> 1) Username "hint" provided by KEYCLOAK_REMEMBERME cookie. IMO
> this cookie should be deleted only when:
> - User explicitly clicked on logout and maually logout himself
> - User click on "Login" button on login screen without the
> rememberme checkbox checked
>
> IMO it shouldn't be deleted when SSO cookie is expired, which
> is current behaviour and should be changed IMO. In other
> words, I expect the scenario working like:
> - User logged with "rememberMe" checkbox on
> - User closed the browser
> - After a month, user returned back to the application. His
> SSO session is expired, but KEYCLOAK_REMEMBERME cookie won't
> be deleted, so on login screen he will see the prefilled
> username and rememberMe checkbox switched to "on"
>
>
> Create a JIRA to request remember me cookie to not be removed.
> However, we need some way of configuring expiration of the cookie.
> This would be for 2.x.
>
Ok, Thanks. Created https://issues.jboss.org/browse/KEYCLOAK-2741
>
>
>
> 2) Persistent KEYCLOAK_IDENTITY cookie when rememberMe is
> switched to on. I can't see how it can work when session is
> expired as it relies on session in the cookie value. On the
> other hand, rememberMe shouldn't rely on "SSO Session idle
> timeout" IMO. SSO IDle timeout is only 30 minutes by default.
> So current behaviour is, that when user closes his browser, he
> needs to open in again and being re-authenticated only when he
> do within 30 minutes, which is bit of pointless IMO.
>
> I would suggest to change the behaviour like this:
> - When userSession is marked as rememberMe, then cleaner
> thread will take into account just "SSO Max Lifespan" timeout,
> but not SSO Idle timeout
> - During verification of SSO cookie re-authentication and when
> session is rememberMe, we will take into account just SSO Max
> Lifespan of session, but not SSO Idle timeout
> Refreshing of tokens will still take SSO Idle timeout just
> like now.
>
> If we not change the behaviour like this, we should at least
> update "RememberMe" docs and tooltip to make it more clear
> what the behaviour would be in various cases.
> WDYT?
>
>
> We've already discussed this and there's a JIRA requesting it
> (https://issues.jboss.org/browse/KEYCLOAK-1267). The default
> behavior should be that SSO Idle timeout is taken into account,
> but there should be an realm option to ignore it and only rely on
> SSO Max lifespan. This is also for 2.x.
>
>
> Actually, thinking about this some more IMO we should either reject
> KEYCLOAK-1267 or add separate idle/max configuration for remember me,
> not just ignore. Having user sessions that doesn't take SSO Idle into
> account would potentially result in a large number of unused user
> sessions left in the system. Especially if SSO Max is large. It could
> be users clicked it by mistake in incognito mode, they manually
> cleared cookies, they re-installed the machine, etc.
+1 to add separate timeouts for rememberMe. We can have those timeouts
available in UI just if realm is selected to have "Remember me" enabled
(Same like the timeout for KEYCLOAK_REMEMBERME cookie specified in
KEYCLOAK-2741 )
Marek
>
>
> Marek
>
>
> On 31/03/16 16:26, Libor Krzyzanek wrote:
>> I read docs today
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630
>> and my understanding is that user should keep logged in
>> after either browser restart or session expiration.
>> My tests shows that after session expiration (set to 1 min) I
>> have to log in again.
>>
>> Thanks,
>>
>> Libor Krzyžanek
>> Principal Software Engineer
>> Red Hat Developers | Engineering
>>
>>> On Mar 31, 2016, at 3:00 PM, Marek Posolda
>>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>>
>>> Followup on the issue by Libor [1] . I can confirm to see
>>> the same
>>> behaviour in the OOTB Keycloak, like Libor described in the
>>> JIRA. In
>>> other words, when you refresh account page (
>>> http://localhost:8080/auth/realms/myrealm/account ) but the
>>> UserSession
>>> referenced from KEYCLOAK_IDENTITY cookie is expired, then
>>> all cookies
>>> including KEYCLOAK_REMEMBERME are expired too.
>>>
>>> IMO RememberMe cookie shouldn't be expired when session is
>>> expired.
>>> We're using the rememberMe cookie as hint for username on
>>> the login
>>> page. So even if user returns to page after a month, I am
>>> not seeing
>>> anything bad that rememberMe cookie is still valid and user
>>> will see
>>> "hint" with his username on login page and rememberMe
>>> checkbox checked
>>> even if session was expired already for a long time. IMO the
>>> only
>>> situation when we should expire KEYCLOAK_REMEMBERME cookie
>>> is, when user
>>> unchecks the "Remember me" checkbox on login page.
>>>
>>> [1] https://issues.jboss.org/browse/ORG-2956
>>>
>>> Marek
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160404/f3fcc3e0/attachment.html
More information about the keycloak-dev
mailing list