You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following https://jira.spring.io/browse/SEC-3210, we now have the ability to specify the remember-me cookie domain, in order to have the same cookie on en.sample.org and fr.sample.org by example. But If you apply a domain in AbstractRememberMeServices.setCookie(), you should also apply it to cancelCookie().
In order to delete a cookie, one must specify the same domain.
Actual Behavior
Specify a domain http.rememberMe().rememberMeCookieDomain(".sample.org");
Login with remember me
Logout
You are still logged, since the remember-me cookie was not deleted.
Summary
Following https://jira.spring.io/browse/SEC-3210, we now have the ability to specify the remember-me cookie domain, in order to have the same cookie on en.sample.org and fr.sample.org by example. But If you apply a domain in AbstractRememberMeServices.setCookie(), you should also apply it to cancelCookie().
In order to delete a cookie, one must specify the same domain.
Actual Behavior
Expected Behavior
After 3., you should be disconnected.
Version
Spring Security 4.1.0.
Suggested Correction
Pull request asauvez#1
The text was updated successfully, but these errors were encountered: