Spring Security RememberMe Services with Session Cookie

Posted by Jarrod on Stack Overflow See other posts from Stack Overflow or by Jarrod
Published on 2010-04-09T14:46:36Z Indexed on 2010/04/09 15:53 UTC
Read the original article Hit count: 1275

I am using Spring Security's RememberMe Services to keep a user authenticated.

I would like to find a simple way to have the RememberMe cookie set as a session cookie rather than with a fixed expiration time. For my application, the cookie should persist until the user closes the browser.

Any suggestions on how to best implement this? Any concerns on this being a potential security problem?

The primary reason for doing so is that with a cookie-based token, any of the servers behind our load balancer can service a protected request without relying on the user's Authentication to be stored in an HttpSession. In fact, I have explicitly told Spring Security to never create sessions using the namespace. Further, we are using Amazon's Elastic Load Balancing, and so sticky sessions are not supported.

NB: Although I am aware that as of Apr. 08, Amazon now supports sticky sessions, I still do not want to use them for a handful of other reasons. Namely that the untimely demise of one server would still cause the loss of sessions for all users associated with it. http://aws.amazon.com/about-aws/whats-new/2010/04/08/support-for-session-stickiness-in-elastic-load-balancing/

© Stack Overflow or respective owner

Related posts about spring-security

Related posts about spring