Apache Shiro - Keep remember me cookie when logging out?

Question

I'm helping to maintain an app that uses Apache Shiro.

We want our users to be able to logout, but keep their "remember me" cookie, but apparently this isn't supported by Shiro (scroll to bottom of page):

https://shiro.apache.org/java-authentication-guide.html

When you log out in Shiro it will close out the user session and removes any associated identity from the subject instance. If you're using RememberMe in a web environment, then .logout() will, by default, also delete the RememberMe cookie from the browser.

What's the best way to achieve this goal?

Answer 1

Turns out this could be done by using a custom security manager:

public class CustomSecurityManager extends DefaultWebSecurityManager {
    @Override
    protected void beforeLogout(Subject subject)
    {
        super.removeRequestIdentity(subject);
    }    
}

Answer 2

You could:

1. Copy the RememberMe cookie.
2. Perform their logout.
3. Then copy it back into place.

Never used Apache Shiro, so I'm not sure how it'd work or if it would accomplish what you want to accomplish.