Why remember me token?

Question

While implementing the "remember me" feature for a website, why do we complicate things and have a token called remember me token apart from a session token.

To the best of my understanding, remember me token can be used to login and create a new session token while the session token only lasts for a few minutes or till the time the user closes the browser. Why can't we increase the expiry duration of the session token itself to the desired time till which we want the user to be logged in?

I have a need to implement such a functionality in a flex based application running over tomcat and I wondering the need of remember me tokens

Also, is it possible to get this functionality out of the box within tomcat?

Answer 1

1) Sessions typically contain a whole bunch of data other than the user's login name. Therefore, if you just set the expiration date to a few weeks or months like a remember me token, you'd probably run into performance problems on the server due to thousands or millions of heavyweight session objects.

2) Remember tokens are client-side, not server-side. This puts all of the storage requirements on the user's browser, which is a better solution for simple data like login names. If you relied on session ID's linked to in-memory objects on the server, then every time you restart your server or the server process (to deploy an updated application, for instance), then all of those session objects would be lost.

Answer 2

Because by definition, a session ends as soon as the user closes his or her browser. Thus the session cookie will expire as soon as the browser is closed.

Since the purpose of remember-me functionality is to keep the user logged in across sessions, the information stored in the remember-me cookie must persist across browser restarts.

To get this functionality "out of the box" look at using a framework like Spring Security.

Answer 3

Remember-me cookies usually store the username and some kind of token. Both of them are used to authenticate the user. Take a look at Improved Persistent Login Cookie Best Practice which describes the process quite good.

The session cookie is used to store a session ID on the client which allows the server to recognize a session an load the session data that is associated with the session.

So remember-me cookies have a longer life time (usually days or weeks) than session cookies. Session cookies usually expire after a few minutes or when the browser is closed.

From the top of my head there are a few reasons why two different cookies are used:

• If only the persistent remember-me cookie would be used the server would need to authenticate the user with every request. When an additional session cookie is used the server doesn't have to do this as long as the session is valid. Of course the session ID could be stored within the remember-me cookie, but what's the point in doing that?
• From a coding point of view it's better to reuse the existing session mechanism. Why reinvent the wheel instead of just adding a feature (authentication via remember-me cookie) that can be enabled/disabled easily?