Spring remember anonymous user

Question

We are using Spring MVC with Spring Security.

These are the requirements for our login system:

• The site should be useable for anonymous users including the settings of preferences (for example turning a filter on a page on or off).
• These preferences should be remembered if an anonymous user returns on the next day (in a new session).
• At any time an anonymous user can choose to register a profile (user/password combination) and all preferences set by the previously anonymous user should be stored in the new profile.
• Alternatively an anonymous user can choose to sign in with an already registered profile and they should be presented with the option to store the preferences they set anonymously into their profile.
• Registered users can login to the page and their login should be remembered.

I am able to persist signed in users across sessions by using Spring Security Remember Me, and I am able to persist a anonymous user across session by setting a cookie by hand.

What would be a more elegant solution for this scenario (preferably using Spring Security)? Is is possible to use the Spring Security Remember Me feature for anonymous user?

Answer 1

It doesn't really make sense to think about using remember-me authentication for anonymous users. Remember-me requires that the user actually exists and by definition, it authenticates them as an individual. It sounds like you just want to create a cookie containing the user's settings, which isn't really related to security. You should just do that yourself in your app. That seems like the most obvious solution to me.

Once a user has registered, then you can use remember-me with their account, but how you code the logic for creating a new user profile is up to you and using the settings from the current cookie would be part of that process.