Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.2.3
-
None
-
None
Description
On successful login, shiro adds two cookie entries one with deleteMe as value and other with the encrypted value.
Though delete-me value cookie has expired state, it should not be resent in the header. As per the cookie spec, order of the response headers should not be relied upon.
class : AbstractRememberMeManager
method :
public void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info)
else
{ if (log.isDebugEnabled()) { log.debug("AuthenticationToken did not indicate RememberMe is requested. " + "RememberMe functionality will not be executed for corresponding account."); }}
}
In the above code, forget identity happens every time. Better place is in the else condition(when isNotRememberMe).