Why does OIDCLoginProtocolService.kcinitBrowserLoginComplete expire cookies?

Hello, I’m new to Keycloak. We are using Keycloak SSO for several applications so the users only have to authenticate once and can then use all applications. These are web applications, but also Java Swing programs. We’ve updated KeycloakInstalled in the Swing app from version 8 to 11 and removed our implemented loginResponseWriter.

Now we have the problem that the session no longer works when logging in via the Swing application. Remember me does not stay active, nor can we use SSO and use the other web applications. After our analysis, we found that the cookies KEYCLOAK_IDENTITY and KEYCLOAK_REMEMBER_ME are invalidated by the method org.keycloak.protocol.oidc.OIDCLoginProtocolService.kcinitBrowserLoginComplete (boolean).

We ask ourselves why this is the case and whether it represents a security risk if we deactivate the invalidation of these cookies in our Keycloak server code.

We are grateful for any help and tips.