[keycloak-dev] Expected behaviour for rememberMe?
Libor Krzyzanek
lkrzyzan at redhat.com
Thu Mar 31 10:26:27 EDT 2016
I read docs today http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630
<http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630> and my understanding is that user should keep logged in after either browser restart or session expiration.
My tests shows that after session expiration (set to 1 min) I have to log in again.
Thanks,
Libor Krzyžanek
Principal Software Engineer
Red Hat Developers | Engineering
> On Mar 31, 2016, at 3:00 PM, Marek Posolda <mposolda at redhat.com> wrote:
>
> Followup on the issue by Libor [1] . I can confirm to see the same
> behaviour in the OOTB Keycloak, like Libor described in the JIRA. In
> other words, when you refresh account page (
> http://localhost:8080/auth/realms/myrealm/account ) but the UserSession
> referenced from KEYCLOAK_IDENTITY cookie is expired, then all cookies
> including KEYCLOAK_REMEMBERME are expired too.
>
> IMO RememberMe cookie shouldn't be expired when session is expired.
> We're using the rememberMe cookie as hint for username on the login
> page. So even if user returns to page after a month, I am not seeing
> anything bad that rememberMe cookie is still valid and user will see
> "hint" with his username on login page and rememberMe checkbox checked
> even if session was expired already for a long time. IMO the only
> situation when we should expire KEYCLOAK_REMEMBERME cookie is, when user
> unchecks the "Remember me" checkbox on login page.
>
> [1] https://issues.jboss.org/browse/ORG-2956
>
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160331/34af3364/attachment.html
More information about the keycloak-dev
mailing list