Heh, this took some time to track down. :-p
Quick answer: Due to line 92 of this commit, logout handlers aren't called (and thus, the REMEMBERME cookie isn't removed) unless there's a token in the securityContext (i.e. the user is logged in).
Longer answer: AbstractRememberMeServices
's cancelCookie
method handles the removal of the REMEMBERME token. RememberMeFactory
makes sure an implementation of this abstract class is registered with the LogoutListener
(through some convoluted service lookups involving one of the security.authentication.rememberme.services.*
services).
LogoutListener
(one of Firewall
's listeners) is supposed to iterate through all its handlers (that implement LogoutHandlerInterface
), calling their logout
method. You're probably using PersistentTokenBasedRememberMeServices
, whose service id is security.authentication.rememberme.services.persistent
and whose logout
method calls the cancelCookie
method mentioned above, thus supposedly removing the REMEMBERME cookie.
But due to the what I explained above, it is never called for users who aren't logged in (due to the session having expired). Instead, the logoutSuccessHandler redirects you, and in the following request the remaining REMEMBERME cookie kicks into action.
I'm not sure whether this should be considered a bug (unintended side-effect of the commit) or not. Perhaps one of us should submit it and see what the devs make of it?
:-)