concord-server: delete remember me cookie only if present

server/impl/src/main/java/com/walmartlabs/concord/server/security/rememberme/ConcordRememberMeManager.java

@@ -30,10 +30,13 @@
 import org.apache.shiro.subject.SimplePrincipalCollection;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.web.mgt.CookieRememberMeManager;
+import org.apache.shiro.web.util.WebUtils;
 
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
 import java.util.Collection;
+import java.util.stream.Stream;
 
 /**
  * Implementation of {@link org.apache.shiro.mgt.RememberMeManager}. Uses the DB to store session data.
@@ -51,7 +54,7 @@ public ConcordRememberMeManager(RememberMeConfiguration cfg) {
             setCipherKey(cipherKey);
         }
 
-        int maxAge = (int)cfg.getRememberMeMaxAge().getSeconds();
+        int maxAge = (int) cfg.getRememberMeMaxAge().getSeconds();
         getCookie().setMaxAge(maxAge);
 
         setSerializer(new PrincipalCollectionSerializer());
@@ -74,6 +77,21 @@ protected void rememberIdentity(Subject subject, PrincipalCollection src) {
         super.rememberIdentity(subject, dst);
     }
 
+    @Override
+    protected void forgetIdentity(Subject subject) {
+        if (!WebUtils.isHttp(subject)) {
+            return;
+        }
+
+        // delete the "remember me" cookie only if it is present
+        HttpServletRequest request = WebUtils.getHttpRequest(subject);
+        var rememberMeCookieName = getCookie().getName();
+        if (Stream.of(request.getCookies())
+                .anyMatch(cookie -> cookie.getName().equals(rememberMeCookieName))) {
+            super.forgetIdentity(subject);
+        }
+    }
+
     private static class PrincipalCollectionSerializer implements Serializer<PrincipalCollection> {
         @Override
         public byte[] serialize(PrincipalCollection principalCollection) throws SerializationException {