consent: Always bust auth session if remember is false

Closes #859
ory · May 20, 2018 · b2725a7 · b2725a7
1 parent 7675144
commit b2725a7
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/consent/strategy_default.go b/consent/strategy_default.go
@@ -332,12 +332,10 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re
 	}
 
 	if !session.Remember {
-		if session.Subject != session.AuthenticationRequest.Subject {
-			// We should not remember the session but at the same time a different user has logged in than was previously
-			// logged in - so let's bust that authentication.
-			if err := s.revokeAuthenticationSession(w, r); err != nil {
-				return nil, err
-			}
+		// If the session should not be remembered, than the user clearly don't wants us to store a cookie. So let's
+		// bust the authentication session (if one exists).
+		if err := s.revokeAuthenticationSession(w, r); err != nil {
+			return nil, err
 		}
 
 		return session, nil