I'm helping to maintain an app that uses Apache Shiro.
We want our users to be able to logout, but keep their "remember me" cookie, but apparently this isn't supported by Shiro (scroll to bottom of page):
https://shiro.apache.org/java-authentication-guide.html
When you log out in Shiro it will close out the user session and removes any associated identity from the subject instance. If you're using RememberMe in a web environment, then .logout() will, by default, also delete the RememberMe cookie from the browser.
What's the best way to achieve this goal?
Turns out this could be done by using a custom security manager:
public class CustomSecurityManager extends DefaultWebSecurityManager {
@Override
protected void beforeLogout(Subject subject)
{
super.removeRequestIdentity(subject);
}
}