In SimpleCookie, this does a response.addHeader(). If the user is logging in and requests rememberMe, forgetIdentity() will add a rememberMe cookie with Max-Age=0, and here another rememberMe cookie will be set.
I think the behavior for setting two cookies with the same name in the same HTTP response is undefined in RFC2109. In the latest Google Chrome, it looks like the Max-Age=0 one wins, so rememberMe is not working. --- Reply to this email directly or view it on GitHub: https://github.com/apache/shiro/commit/c5cb46538b3036d9ffcfdd300c17c2d380855ba6#commitcomment-701631
