2

I have a web-application based on SpringBoot and using Spring Security for Log-in and Remember-Me, however Remember-Me doesn't work properly and resets after 1 hour of absense of interaction between client and server.

I have checked browser's storage for cookies, remember-me cookie is created and has correct expiration date (1 day after creation). The second cookie: JSESSION has expiration = session. And i think this is causing the problem.

+-------------+-----------+------+--------------------------------+
|    Name     |  Domain   | Path | Expires on                     |
+-------------+-----------+------+--------------------------------+
| JSESSIONID  | 127.0.0.1 | /    | session                        |
| remember-me | 127.0.0.1 | /    | Tue, 25 Dec 2018 10:28:22 GMT  |
+-------------+-----------+------+--------------------------------+

Here is my spring security configuration for remember-me:

.and()
.rememberMe()
.key("secretKey")
.tokenValiditySeconds(60*60*24)
.rememberMeParameter("remember-me");

I want that once person is logged in with remember-me option chosen, he/she will not need to log in again for next 24 hours. So is there possibility to set this JSESSION expiration equal to remember-me cookie? I use annotation driven Spring Boot

FirePapaya
  • 509
  • 5
  • 21
  • 1
    @dur Yes, after an hour of inactivity (no sending any requests) if i click on any link I get automatically logged out, and consequently end up seeing login page – FirePapaya Dec 24 '18 at 12:31

1 Answers1

4

JSESSIONID is the cookie that saves your session id. You don't need to set expiration time of JSESSIONID as remember-me.

The mechanism will be able to identify the user across multiple sessions – so the first thing to understand is that Remember Me only kicks in after the session times out. By default, this happens after 30 minutes of inactivity, but timeout can be configured in the web.xml. In Spring boot, you can configure time out with help of this link.

The Remember Me cookie contains the following data:

  • username – to identify the logged in principal
  • expirationTime – to expire the cookie; default is 2 weeks
  • MD5 hash – of the previous 2 values – username and expirationTime, plus the password and the predefined key

So it is enough for remembering user credentials. JSESSIONID will delete when session expires or user close the browser. After user comeback he will get new session id without need of logging in again with a valid remember-me cookie.

Mohsen
  • 4,536
  • 2
  • 27
  • 49