How does Remember Me work in Spring Security?

Question

I'm curious how does Remember Me work and how does it work in Spring Security?

I understand that server sends long-lived cookies to the client. And then client sends cookie back and server can recognize the client because there's something like hash-map on the server with relations cookie --> session.

I don't understand how does the server [server-side application] recognize a client by cookie after server [Tomcat] has been restarted.

How and where does Spring Security save cookie-session map before server shutdown? Is it server-specific (i.e. something different is happened in Tomcat, Jetty etc)?

P.S. one more related problem with Spring Security and redeployment: even if I don't tick RememberMe and log in, I'm still recognized after redeployment for about 3 mins. Is it fixable?

Answer 1

Dont' confuse session cookies with Remember Me cookies.

Session cookie is sent by the server (e.g. Tomcat) and used to associate incoming request with the session.

Remember Me cookie is sent by Spring Security to authenticate the client in the different sessions (e.g. after expiration of the original session or after the server restart).

To authenticate a user by Remember Me cookie Spring Security provides 2 strategies:

• TokenBasedRememberMeServices - used by default, less secure - cookie contains a hash of the password and other data
• PersistentTokenBasedRememberMeServices - more secure, requires database access - cookie containt an unique identifier stored in the database

Answer 2

The Spring Security docs discuss how this actually works.

This approach uses hashing to achieve a useful remember-me strategy. In essence a cookie is sent to the browser upon successful interactive authentication, with the cookie being composed as follows:

base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))

...

As such the remember-me token is valid only for the period specified, and provided that the username, password and key does not change. Notably, this has a potential security issue in that a captured remember-me token will be usable from any user agent until such time as the token expires. This is the same issue as with digest authentication.

Basically the cookie contains the username, password, expiration time and a key (which you specify), all of which are hashed together. When your browser sends the contents of this cookie to the server, Spring Security:

1. Retrieves the password from the backend for the given username
2. Computes the md5Hex() of the username/password/etc from the database and compares it to the value in the cookie
3. If they match - you are logged in! If not a match, then you've supplied a forged cookie or one of the username/password/key has changed.

The underlying assumption here is that the hash function - the md5Hex() part above - provides a way to easily encode some piece of data in one direction yet is incredibly hard and unpractical to reverse (to recover the password from the md5Hex text).