1. Overview
In this lesson, we will set up the basics of a Remember-Me flow and analyze how it works in the browser.
The main issue we aim to solve is the user experience with sessions. Every time a user visits our application or when their session expires, they must log in again, which can be inconvenient. In this lesson, we will explore a simple cookie-based solution.
The relevant module we need to import when starting this lesson is: simple-remember-me-start.
If we want to reference the fully implemented lesson, we can import: simple-remember-me-end.
2. About Remember-me
Remember-Me is a mechanism that solves this by remembering the authenticated principal across different sessions. This allows the user to remain authenticated even after their original HTTP session has timed out or been cleared.
Spring Security offers two main options for this:
- Cookie-based: A simpler approach where the token is stored entirely in a cookie.
- Persistence-based: The token is stored in a database, making it more secure.
3. The Security Configuration
The first step is to enable the Remember-Me functionality in our security configuration.
Because we are using Spring Security’s fluent configuration API, enabling this feature is straightforward. We will modify our LssSecurityConfig class and add the .rememberMe(Customizer.withDefaults()) configurer to the filter chain:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// ... existing configuration
.formLogin((form) -> form
.loginPage("/login").permitAll()
.loginProcessingUrl("/doLogin"))
.rememberMe(Customizer.withDefaults())
// ... logout configuration
return http.build();
}While there are many customization options available, this simple configuration is sufficient to enable the basic flow.
4. The Login Page
Now that the backend is configured, we need to enable users to opt in to this feature via the login page. We’ll open loginPage.html and add a checkbox to the login form. This input must have the name remember-me, as this is the default name Spring Security looks for (though it is configurable):
<form th:action="@{/doLogin}" method="post" class="form-horizontal">
// username, password input
<div class="form-group">
<label class="control-label col-xs-2" for="remember"> Remember Me? </label>
<div class="col-xs-10">
<input id="remember" type="checkbox" name="remember-me" value="true" />
</div>
</div>
// form action
</form>This setup allows the remember-me parameter to be sent along with the username and password when the form is submitted.
5. Understanding the Cookies
Now, let’s run the application and observe how the cookies behave.
To access the cookies, first launch the application in a browser, then open the Developer Tools. In most browsers, you can do this via Settings → More Tools → Developer Tools, or simply by pressing F12. Once the Developer Tools are open, navigate to the Application tab in Chrome or the Storage tab in Firefox, and then select the Cookies option.
When we first visit the login page, there will be just the standard JSESSIONID cookie present:
If we log in without checking the “Remember Me” box, we will see a standard JSESSIONID cookie. This cookie drives our authentication process and expires when the session ends (e.g., when we close the browser or log out).
However, if we log out and log back in with the “Remember Me” checkbox selected, the result is different.
This time, we see two cookies: the JSESSIONID and a new remember-me cookie.
There is a major difference between these two:
- The JSESSIONID cookie usually expires at the end of the session.
- The remember-me cookie has a set expiration date. By default, this is two weeks.
This means the remember-me cookie will stick around and identify the user long after the JSESSIONID cookie has been removed.
6. Verifying the Flow
To truly understand how this works, let’s perform a simple manual test.
First, ensure we are logged in with the “Remember Me” function active. Then, using our browser’s developer tools, we will manually delete the JSESSIONID cookie.
Normally, removing the session cookie would force us to log in again. However, if we refresh the page now, we stay logged in.
Even though the main authentication cookie was removed, Spring Security detected the valid remember-me cookie and used it to re-authenticate us.
If we check our cookies again, we will see that the application has issued a new JSESSIONID. This confirms that the application successfully used the remember-me token to create a new session for us automatically.
7. Conclusion
In this lesson, we implemented a basic Remember-Me flow using Spring Security.
We configured the backend to recognize the remember-me token, updated our login form to send the request, and verified that the remember-me cookie allows a user to maintain access even after their session cookie has been deleted.