Remember-Me Authentication

About

Remember-Me Authentication is a feature in Spring Security that allows users to stay logged in even after their session expires or they close the browser. When enabled, Spring Security generates a persistent authentication token, which is stored on the client-side (usually as a cookie) and verified on subsequent visits.

It improves user experience by avoiding frequent logins while ensuring authentication security.

How Does Remember-Me Authentication Work?

Step 1: User Logs In and Opts for Remember-Me

  • The user provides valid credentials (username & password).

  • If they check the "Remember Me" option, a persistent token is generated.

Step 2: Server Stores a Persistent Token

  • The server generates and stores an authentication token.

  • This token is saved in either:

    • Cookies (Default Method) – A token-based cookie is stored on the client’s browser.

    • Database (Persistent Token Approach) – A record is stored in the database.

Step 3: User Returns and Gets Automatically Logged In

  • When the user revisits the site, the token is sent back to the server via the cookie.

  • Spring Security verifies the token:

    • If valid → User is automatically authenticated.

    • If invalid or expired → User is asked to log in again.

Types of Remember-Me Authentication in Spring Security

Spring Security provides two main approaches for Remember-Me Authentication:

1. Token-Based (Hashing Method) – Default Approach

  • Uses a hash of username, password, expiration time, and a key.

  • The generated token is stored as a cookie.

  • The server does not maintain any database record.

  • Less secure because token verification relies on a static hash.

2. Persistent Token-Based (Database Approach) – Recommended for Security

  • Stores a randomly generated token in a database along with the username.

  • The server can revoke or expire tokens manually.

  • More secure as tokens can be invalidated.

Remember-Me Cookie Structure

Spring Security stores the Remember-Me token in the client’s browser as a cookie. The default format is:

remember-me=USERNAME:EXPIRATION_TIME:HASHED_TOKEN

Example:

remember-me=admin:1699999999:74b87337454200d4d33f80c4663dc5e5

Where:

  • admin → Username

  • 1699999999 → Expiration timestamp

  • 74b873... → Hashed token

Implementing Remember-Me Authentication in Spring Security

Method 1: Token-Based Remember-Me (Default)

Step 1: Enable Remember-Me in Spring Security

javaCopyEdit@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .formLogin(withDefaults())
            .rememberMe(rm -> rm
                .key("my-secret-key")  // Secret key to generate tokens
                .tokenValiditySeconds(604800)  // Token valid for 7 days
            );
        return http.build();
    }
}

  • .key("my-secret-key") → Ensures security by hashing the remember-me token.

  • .tokenValiditySeconds(604800) → Sets expiration time (7 days).

Method 2: Persistent Token-Based Remember-Me (Recommended for Security)

Step 1: Create Database Table to Store Tokens

sqlCopyEditCREATE TABLE persistent_logins (
    username VARCHAR(64) NOT NULL,
    series VARCHAR(64) PRIMARY KEY,
    token VARCHAR(64) NOT NULL,
    last_used TIMESTAMP NOT NULL
);

Step 2: Configure Persistent Remember-Me in Spring Security

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Autowired
    private DataSource dataSource;  // Inject database connection

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .formLogin(withDefaults())
            .rememberMe(rm -> rm
                .key("my-secure-key")
                .tokenRepository(persistentTokenRepository()) // Use database storage
                .tokenValiditySeconds(1209600) // 14 days
            );
        return http.build();
    }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl repository = new JdbcTokenRepositoryImpl();
        repository.setDataSource(dataSource);
        return repository;
    }
}

  • Uses a database-backed token repository.

  • The token is stored in persistent_logins table.

  • More secure as tokens can be revoked manually.

Security Risks & How to Mitigate Them

Security Risk

Mitigation Strategy

Token Theft (Man-in-the-Middle Attacks)

Use HTTPS to encrypt token transmission.

Cookie Theft (Cross-Site Scripting - XSS)

Set HttpOnly and Secure flags on cookies.

Token Reuse (Replay Attacks)

Use database-backed persistent tokens instead of static hashes.

Stolen Device Login

Provide a way to revoke active Remember-Me sessions.

Setting Secure Cookie Attributes

rememberMe(rm -> rm
    .key("my-secure-key")
    .useSecureCookie(true)  // Ensures cookies are sent over HTTPS
    .rememberMeCookieName("custom-remember-me") // Custom cookie name
);

When to Use Remember-Me Authentication?

Scenario

Why Use Remember-Me?

Web Applications with Frequent Logins

Enhances user experience by reducing login prompts.

Low-Risk Applications

Suitable for apps where authentication security is less critical.

Customer-Facing Services

Keeps users logged in for extended sessions.

When NOT to Use Remember-Me Authentication?

Scenario

Alternative Approach

Highly Secure Systems (e.g., Banking, Finance, Healthcare)

Use Multi-Factor Authentication (MFA) instead.

Shared Devices or Public Computers

Disable Remember-Me to prevent unauthorized access.

REST APIs & Mobile Applications

Use JWT or OAuth2 for token-based authentication.

PreviousAPI Key AuthenticationNextCustom Authentication

Last updated

Was this helpful?