WSO2: How to logout a user that has obtained a 'rememberMeCookie'

Question

I am using WSO2 Identity Server 4.1.0 to perform basic authentication. It is possible to call the AuthenticationAdmin webservice, which contains a 'loginWithRememberMeOption'. The user will then obtain a 'rememberMeCookie', with which he can log in, even if his session (JSESSION) has expired.

I have learned that the loginWithRememberMeOption also has a timeout: 7 days, and that this time cannot be modified: WSO2 Authentication, adding/modifing timeout to the RememberMe cookie

The AuthenticationAdmin service also provides a 'logout' operation. Unfortunately, this operation will only invalidate the session. So if a user has a rememeberMeCookie, he will still be able to login: WSO2 AuthenticationAdmin Logout

The question is, how do I logout a user that has obtained a rememeberMeCookie? Preferably using the AuthenticationAdmin?

Answer 1

As I understand there is no direct way to logout a user with a remember me cookie.

I went through the code. Once you login with remember me option, a UUID is generated. Refer org.wso2.carbon.core.services.authentication.AuthenticationAdmin.loginWithRememberMeOption(String, String, String) method in AuthenticationAdmin

The cookie is then saved in database. When you login with remember me cookie, the cookie is checked from the user store. Refer org.wso2.carbon.user.api.UserStoreManager.isValidRememberMeToken(String, String). You can check the JDBC implementation.

So, in order to logout, you might have to clear the cookie from the user store.

Please report a JIRA issue, if you think it might be useful to add a method to clear the cookie.