Menu
So, I have in my application spring security and have introduced remember me functionality when the checkbox is checked in.
I wanted to know what is the exact behavior:
if I set </remember-me> tag and specify for the rememberMeServices tokenValiditySeconds to 20 seconds, shouldn't the session expire and and ask me to log in again?
Do I have to set:
<session-config>
<session-timeout>XX</session-timeout>
</session-config>
So it matches the SPRING_SECURITY_REMEMBER_ME cookie tokenValiditySeconds ?
UPDATE
Does it matter if I've implemented my own PersistentTokenBasedRememberMeServices?
I had to override the default PersistentTokenBasedRememberMeServices coming from spring, because the PersistentRememberMeToken did not have any no-arg constructor, thus unable to use hibernate for that, so what I did I just wrote my own PersistentRememberMeToken, PersistentTokenBasedRememberMeServices (which, by the way, do no have anything special beside me introducing the no-arg constructor in PersistentRememberMeToken, beside that, it's copy paste from spring's source)
440
Having a remember-me token which is valid for less than the session-timeout will have no effect on your authentication during that session, if that's what you are asking.
Once you are authenticated during a session, your authentication is valid for the duration of that session, unless you log out or the session expires.
The remember-me token is only considered if you are unauthenticated, otherwise it will be ignored.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
