Spring Boot Security | Remember Me and Persistence #2

Posted on by cruizg93

Spring Boot Security | Remember Me and session Cookie #2

Keeping an open session and avoiding logging on every time you visit a page is essential. Known as “Remember Me”, is an option in the login form that allows to create a cookie in the browser to be able to keep the session open.

This cookie created by Spring Security has the following composition:

  1. Username: Identifies the user that login.
  2. ExpirationTime: The life time of the created cookie.
  3. MD5 Hash: Contains the hash value of the two preceding attributes, username and expirationTime. Also add the passwords and the predefined key.

Important: As you know the cookie contains the username and password, so if any of these changes the cookie will stop serving.

The biggest vulnerability of this method is that if the cookie is intercepted, it can be used by some third party.

How to use Remember Me

We will rely on the previous tutorial and use that code as an example. If you have not seen I invite you to look or download the GitHub repository

Step by step:

  1. Add the option to your login form. In this case in the index.html file
    Remember Me html
    RememberMe.html

    Remember Me View
    Remember Me View
  2. You must tell Spring Security that you need to generate the “Remember-me” cookie. and delete the JSESSIONID cookie when you log off. You only have to add the following option in configuration: 
    .rememberMe().Key("UniqueAndSecret")

logout().deleteCookies ("JSESSIONID")

    Remember Me settings
    Remember Me settings

By default the parameter’s name is “remeber-Me” and the duration is two weeks. But this can be easily changed like this:

.rememberme().Key("UniqueAndSecret")
          .TokenValiditySeconds(60)// cookie value in second instance, 60 = > min
          .rememberMeParameter("input-field-name")

That way you set the cookie to remember session. In the video tutorial will show you how to check the use of the cookie.

Repository: https://github.com/cruizg93/SpringBoot-Security-MySql/compare/SimpleRememberMe?diff=unified

Related Posts

Spring Boot Aplicacion Web Parte 13 | Heroku Deploy

julio 26, 2019

Spring Boot Aplicacion Web Parte 12

julio 23, 2019

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *