https://stackoverflow.com/questions/20102247
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianHeh, this took some time to track down. :-p
Quick answer: Due to line 92 of this commit, logout handlers aren't called (and thus, the REMEMBERME cookie isn't removed) unless there's a token in the securityContext (i.e. the user is logged in).
Longer answer: AbstractRememberMeServices's cancelCookie method handles the removal of the REMEMBERME token. RememberMeFactory makes sure an implementation of this abstract class is registered with the LogoutListener (through some convoluted service lookups involving one of the security.authentication.rememberme.services.* services).
LogoutListener (one of Firewall's listeners) is supposed to iterate through all its handlers (that implement LogoutHandlerInterface), calling their logout method. You're probably using PersistentTokenBasedRememberMeServices, whose service id is security.authentication.rememberme.services.persistent and whose logout method calls the cancelCookie method mentioned above, thus supposedly removing the REMEMBERME cookie.
But due to the what I explained above, it is never called for users who aren't logged in (due to the session having expired). Instead, the logoutSuccessHandler redirects you, and in the following request the remaining REMEMBERME cookie kicks into action.
I'm not sure whether this should be considered a bug (unintended side-effect of the commit) or not. Perhaps one of us should submit it and see what the devs make of it?
:-)
