shiro-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <>
Subject Re: How to force a remembered user to be forgotten?
Date Thu, 29 Aug 2013 15:23:17 GMT

I think I understand your question better now, but I think you may have some
confusion over how RememberMe works.  By default in Shiro, a remembered user
is not authenticated, and no auto-login is supported.  So, unless you have
written code to override that behavior, you probably do not need to worry
about revoking all outstanding remember me cookies.  The user still has to
re-authenticate even if they are remembered.  A good discussion of the
default behavior is in this question:

That said, Shiro has no way I know of to revoke all outstanding remember me
cookies for a given user, if you still think you need to do that.  If you
think about it, this is essentially impossible, since the cookie resides in
the user's browser, not the server; so unless the user interacts with the
server via the browser, the server cannot unset a cookie.

I think you could extend the CookieRememberMeManager class so that it stored
a key/value pair of a random UUID/username in a database, and set just the
UUID in the cookie; then you could delete that pair from the database when
you wanted to invalidate all RememberMe tokens; whenever a new session is
created, you could then verify that any existing RememberMe token is
validated by the information in the database.  That level of complexity is
beyond what most people need.

I hope that is clearer.

View this message in context:
Sent from the Shiro User mailing list archive at

View raw message