+
Skip to content

Invalidate sessions created with remember me when remember me is disabled #43355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

Invalidate sessions created with remember me when remember me is disabled #43355

merged 1 commit into from
Oct 14, 2025

Conversation

graziang
Copy link
Contributor

Closes #43328

With this PR, all user sessions created with the "remember me" option are considered invalid if the "remember me" is disabled in the realm settings.

@graziang graziang requested review from a team as code owners October 10, 2025 10:24
@graziang graziang force-pushed the issue-43328 branch 3 times, most recently from 3214435 to 974814a Compare October 10, 2025 15:09
@mposolda mposolda self-assigned this Oct 13, 2025
@graziang
Invalidate sessions created with remember me when remember me is disa…
fed9e27 
…bled for realm

Closes keycloak#43328

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
@graziang graziang requested a review from a team as a code owner October 14, 2025 13:43
mposolda
mposolda approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@graziang LGTM, Thanks!

@ahus1 ahus1 enabled auto-merge (squash) October 14, 2025 14:30
ahus1
ahus1 approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this change! Especially the extra note about

Note also that the sessions will not be invalidated immediately when the switch is disabled, but only when a cookie or token associated with an invalid session is used. This means that disabling and then re-enabling the "Remember me" switch cannot be used to invalidate old sessions.

@ahus1 ahus1 merged commit bda0e2a into keycloak:main Oct 14, 2025
80 checks passed
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 14, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.account.AccountRestServiceTest#listApplicationsWithoutPermission

Keycloak CI - Java Distribution IT (windows-latest - temurin - 17)

org.openqa.selenium.TimeoutException: 
java.net.SocketTimeoutException: Read timed out
Build info: version: '4.28.1', revision: '73f5ad48a2'
System info: os.name: 'Windows Server 2025', os.arch: 'amd64', os.version: '10.0', java.version: '17.0.16'
Driver info: driver.version: HtmlUnitDriver
...

Report flaky test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

@ahus1 ahus1 ahus1 approved these changes

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mposolda mposolda

Labels

flaky-test team/cloud-native team/core-clients team/core-iam team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

"Remember me" user sessions remain valid after "remember me" realm setting is disabled

3 participants

@graziang @mposolda @ahus1
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载