Skip to content

Remove all remembered tokens by just logging out from one device #4824

Open
Open
Remove all remembered tokens by just logging out from one device#4824
Labels
status: waiting-for-triageAn issue we've not yet triaged
@danjee

Description

@danjee
danjee
opened on Nov 15, 2017

Summary

By logging out the PersistentTokenBasedRememberMeServices removes all the tokens from database
that are tied to that username without considering the device he wants to logout.

Actual Behavior

  1. Login browser 1
  2. A cookie is created on the browser
  3. A remember me token is created in the database for that username
  4. Login browser 2
  5. A cookie is created on the browser
  6. A new remember me token is created in the database for that username
  7. Logout browser 1
  8. The cookie is deleted from the browser
  9. All the tokens are deleted from databases for that username regardless of their browser
  10. User tries to use the cookie on the second browser but the corresponding token is missing

Expected Behavior

On step 9 only the token corresponding to that session and cookie should be deleted

Configuration

No custom configuration

Version

4.2.3.RELEASE

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triaged

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions