Hi. I think I understand your question better now, but I think you may have some confusion over how RememberMe works. By default in Shiro, a remembered user is not authenticated, and no auto-login is supported. So, unless you have written code to override that behavior, you probably do not need to worry about revoking all outstanding remember me cookies. The user still has to re-authenticate even if they are remembered. A good discussion of the default behavior is in this question: http://shiro-user.582556.n2.nabble.com/Rememberme-vs-authentication-td3084550.html <http://shiro-user.582556.n2.nabble.com/Rememberme-vs-authentication-td3084550.html>
That said, Shiro has no way I know of to revoke all outstanding remember me cookies for a given user, if you still think you need to do that. If you think about it, this is essentially impossible, since the cookie resides in the user's browser, not the server; so unless the user interacts with the server via the browser, the server cannot unset a cookie. I think you could extend the CookieRememberMeManager class so that it stored a key/value pair of a random UUID/username in a database, and set just the UUID in the cookie; then you could delete that pair from the database when you wanted to invalidate all RememberMe tokens; whenever a new session is created, you could then verify that any existing RememberMe token is validated by the information in the database. That level of complexity is beyond what most people need. I hope that is clearer. -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-force-a-remembered-user-to-be-forgotten-tp7579089p7579094.html Sent from the Shiro User mailing list archive at Nabble.com.
