Question
I'm helping to maintain an app that uses Apache Shiro.
We want our users to be able to logout, but keep their "remember me" cookie, but apparently this isn't supported by Shiro (scroll to bottom of page):
https://shiro.apache.org/java-authentication-guide.html
When you log out in Shiro it will close out the user session and removes any associated identity from the subject instance. If you're using RememberMe in a web environment, then .logout() will, by default, also delete the RememberMe cookie from the browser.
What's the best way to achieve this goal?
Solution 2
Turns out this could be done by using a custom security manager:
https://stackoverflow.com/questions/21711984
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianpublic class CustomSecurityManager extends DefaultWebSecurityManager {
@Override
protected void beforeLogout(Subject subject)
{
super.removeRequestIdentity(subject);
}
}
OTHER TIPS
You could:
RememberMe cookie. Never used Apache Shiro, so I'm not sure how it'd work or if it would accomplish what you want to accomplish.
