0

At this point I am completely stumped on how Shiro "rememberMe" services are supposed to work.

I am using Shiro with my app which is hosted on Google App Engine.

I have sessions-enabled set to TRUE in my appengine-web.xml file.

I can see the "rememberMe" cookie being created when I log in to my app. I can also find the cookie (in Chrome > Settings > Cookies) after closing the browser and re-opening. So the cookie is apparently there.

My login code is basically as follows using a form-based login...

    UsernamePasswordToken token = new UsernamePasswordToken( email, password );
    token.setRememberMe(true); 
    theSubject.login(token);

If Authentication is successful, I query for the User object.

The problem is when I close the browser and re-visit the site, the call to: SecurityUtils.getSubject().isRemembered() is always "false".

What am I doing wrong here?

edcincy
  • 321
  • 2
  • 3
  • 14

1 Answers1

0

Seems I always end up figuring things out after I post. :)

The problem was the size of the "rememberMe" cookie. I was having Shiro serialize the entire User object to the cookie.

After much searching, I found that while the cookie will indeed be set, if the cookie is too large (larger than 4K) the browser will just ignore it and not send it in the response.

I have now changed things to only serialize the User key (as a web-safe String) in the cookie. I can then access the key on each request.

Also another change...

After the User logged in, I was setting the User on the Session for easy retrieval. Apparently this is not the best practice.

I'm now only setting the User key in the session.

I can now access the User key from either the cookie, or the Session (after login) and querying for the User (and associated data) when needed.

If anyone has other suggestions, or better ideas, please feel free to post. I'm always willing to learn. :)

edcincy
  • 321
  • 2
  • 3
  • 14