Artem Troitskiy (Migrated from SEC-1410) said:
As of 3.0.1, AbstractRememberMeServices.decodeCookie() treats usernames with "http://" as a special case for compatibility with OpenID. But some OpenID providers use "https://..." in their identity urls, and cookies with such usernames are decoded incorrectly.
Luke Taylor said:
Thanks. I've changed it to check for usernames starting with "https" as well as "http".