0

I added the remember me functionality to my Spring Boot 2 app. Initially I added it using the persistent mechanism, but I noticed that there's only one row on the persistent table for one user, so it doesn't work if you log on two different browsers. This is problematic because we use the app for developing and testing with the same accounts a lot.

So I added an application.properties option to enable the persistent mechanism in production only. Now with cookie only remember me works also on two different browsers, but I noticed that it does not work at app restart.

Is this the expected behavior? Is there not a way to have a not persistent remember me at server restart?

This is part of my configuration:

@Value("${remember_me.cookie_only}")
private boolean remember_me_cookie_only;

@Autowired
public DataSource dataSource;

@Override
protected void configure(HttpSecurity http) throws Exception {
     http.csrf().disable();
     http.authorizeRequests()
     .antMatchers(...)
     ;

    http.authorizeRequests().and().exceptionHandling().accessDeniedPage("/accessDenied");

    http.authorizeRequests().and().formLogin()
     // Submit URL of login page.
    .loginProcessingUrl("/j_spring_security_check") // Submit URL
    .loginPage("/loginMe")//
    .defaultSuccessUrl("/loginOK",true)//
    .failureUrl("/loginMe?error=true")//
    .usernameParameter("username")//
    .passwordParameter("password")
    .failureHandler(customAuthenticationFailureHandler())
    .and()
        .rememberMe()
        .rememberMeParameter("remember-me")
        .rememberMeCookieName("remember-me")
        .tokenValiditySeconds(24 * 60 * 60)
     .and()
         .logout()
         .invalidateHttpSession(true)
         .deleteCookies("JSESSIONID")
         .logoutUrl("/logout")
         .logoutSuccessUrl("/loginMe")
         .logoutSuccessHandler(logoutSuccessHandler())
     .and()
         .sessionManagement()
         .invalidSessionUrl("/timeout");

    if (! remember_me_cookie_only) {
        http.rememberMe().tokenRepository(persistentTokenRepository());
    }

@Bean
public PersistentTokenRepository persistentTokenRepository() {
    JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
    tokenRepository.setDataSource(dataSource);
    return tokenRepository;
}
Marco Sulla
  • 15,299
  • 14
  • 65
  • 100
  • 1
    *Is this the expected behavior?* Yes. If you restart your server you have to expect that all transient data is removed. See also [`InMemoryTokenRepositoryImpl`](https://docs.spring.io/spring-security/site/docs/4.2.8.RELEASE/apidocs/org/springframework/security/web/authentication/rememberme/InMemoryTokenRepositoryImpl.html) – dur Nov 28 '18 at 13:57
  • Possible duplicate of https://stackoverflow.com/questions/18944073/implementing-remember-me-with-token-and-series-across-multiple-devices – dur Nov 28 '18 at 14:26

1 Answers1

1

It looks like you are not setting a remember-me key. If not set, Spring Security will generate a new key on every start, making previous remember-me cookies invalid.

.rememberMe()
    .key("mySecretKey")

(Replace "mySecretKey" with a random but persistent string.)

holmis83
  • 15,922
  • 5
  • 82
  • 83