Executive Summary

This vulnerability in Keycloak involves a session management logic flaw with the "Remember Me" feature. When an administrator disables "Remember Me" at the realm level, existing user sessions created while it was enabled continue to have extended lifetimes until they expire naturally. This happens because the session expiration logic only checks the session-local "remember-me" flag and does not revalidate the current realm-level setting. Consequently, the system does not immediately enforce the disabling of "Remember Me" on active sessions, allowing long-lived sessions to persist beyond the administrator's security changes, increasing the risk of session hijacking or unauthorized long-term access. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers who have previously compromised a "Remember Me" session (for example, by stealing the identity cookie) to maintain unauthorized access for the full original session duration, even after the "Remember Me" feature has been disabled by an administrator. This extended session lifetime increases the window of opportunity for session hijacking or unauthorized long-term access persistence, potentially compromising user accounts and sensitive data. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection involves identifying active user sessions that were created while the 'Remember Me' feature was enabled and verifying if they retain extended session lifetimes despite the feature being disabled at the realm level. Since the flaw is in session management logic, you can inspect Keycloak session data or logs for sessions with the 'remember-me' flag set. Specific commands depend on your Keycloak setup, but generally, you can query the Keycloak database or use the Keycloak Admin REST API to list active sessions and check their attributes. For example, using the Keycloak Admin CLI or REST API, you can list sessions and filter for those with the 'remember-me' flag still active. Additionally, monitoring network traffic for long-lived session cookies might help identify potentially affected sessions. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include invalidating or terminating all existing user sessions that were created while the 'Remember Me' feature was enabled. This forces users to re-authenticate under the new security configuration. Administrators should disable the 'Remember Me' setting at the realm level and then perform a session revocation or logout of all active sessions to ensure no extended sessions persist. Applying any available patches or updates from Keycloak that address this issue is also recommended. [1]

Useful 0 Not Useful 0