[keycloak-dev] Expected behaviour for rememberMe?
Marek Posolda
mposolda at redhat.com
Thu Mar 31 09:00:38 EDT 2016
Followup on the issue by Libor [1] . I can confirm to see the same
behaviour in the OOTB Keycloak, like Libor described in the JIRA. In
other words, when you refresh account page (
http://localhost:8080/auth/realms/myrealm/account ) but the UserSession
referenced from KEYCLOAK_IDENTITY cookie is expired, then all cookies
including KEYCLOAK_REMEMBERME are expired too.
IMO RememberMe cookie shouldn't be expired when session is expired.
We're using the rememberMe cookie as hint for username on the login
page. So even if user returns to page after a month, I am not seeing
anything bad that rememberMe cookie is still valid and user will see
"hint" with his username on login page and rememberMe checkbox checked
even if session was expired already for a long time. IMO the only
situation when we should expire KEYCLOAK_REMEMBERME cookie is, when user
unchecks the "Remember me" checkbox on login page.
[1] https://issues.jboss.org/browse/ORG-2956
Marek
More information about the keycloak-dev
mailing list