Remember-Me Authentication in Spring Security

Introduction :

Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions. This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place. Spring Security provides the necessary hooks for these operations to take place and has two concrete remember-me implementations. One uses hashing to preserve the security of cookie-based tokens and the other uses a database or other persistent storage mechanism to store the generated tokens.

Remember me spring security flow :

1) When the user successfully logs in with Remember Me checked, a login cookie is generated in addition to the standard session management cookie.

2) The login cookie contains the user's username and a random number and a current date time(this cookie is also called Token). The username and token are stored as a pair in a database table.

3) And this cookie is sent back in user response header.And this cookie is associated in every request sent to server.

4) When a non-logged-in user visits the site and presents a login cookie, the username and token are looked up in the database.
If the pair is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username, and issued to the user via a new login cookie.

5) If the pair is not present, the login cookie is ignored.Then redirect to login operations, then user must first successfully submit a normal username/password login form.If username is successfully authenticated then a new token is generated and persists username & token are stored as a pair in a database table and sent back new token to user as in response.

Implementation Details :

Spring provides an Interface for remember me, that is RememberMeServices.This interface has two implementations TokenBasedRememberMeServices and PersistentTokenBasedRememberMeServices.

RememberMeServices is hooked in UsernamePasswordAuthenticationFilter, which will invoke a concrete RememberMeServices at the appropriate times.This interface therefore provides the underlying remember-me implementation with sufficient notification of authentication-related events, and delegates to the implementation whenever a candidate web request might contain a cookie and wish to be remembered.

Lets us see RememberMeServices implementations macanism

1) TokenBasedRememberMeServices :

This approach uses hashing to achieve a useful remember-me strategy. In essence a cookie is sent to the browser upon successful interactive authentication, with the cookie being composed as follows:

base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))

here key is A private key to prevent modification of the remember-me token.

When user logs in,TokenBasedRememberMeServices generates a RememberMeAuthenticationToken token with above macanism.This token is sent back to user in response.
Further requests, remember-me token will be associated in each request cookies.RememberMeServices will decode this token and token is validated by comparing with expected TokenSignature.If tokens are same then a new token is generated and sent back to user else InvalidCookieException is thrown.

In addition, TokenBasedRememberMeServices requires A UserDetailsService from which it can retrieve the username and password for signature comparison purposes, and generate the RememberMeAuthenticationToken to contain the correct GrantedAuthority[]s.

2) PersistentTokenBasedRememberMeServices : 

PersistentTokenBasedRememberMeServices, name itself explains token is persisted in repository and for every request it will get token from repository and compares with user token.Rest all is same as TokenBasedRememberMeServices.
PersistentTokenBasedRememberMeServices generate token named PersistentRememberMeToken which contains username,series(random value),tokenValue(Random value) and date.And this token is persisted in repository to remember.

Currentlly PersistentTokenBasedRememberMeServices supports two types of repository to persist token.

1) InMemoryTokenRepositoryImpl which is intended for testing only.

2) JdbcTokenRepositoryImpl which stores the tokens in a database.

For detail explanation and implementation for remember-me service, I have written separate blogs.

1) Spring security remember me using form login : In this blog, remember me service is implemented using PersistentTokenBasedRememberMeServices.

2) Spring security remember me with Custom login filter : In this blog,  remember me service is implemented using TokenBasedRememberMeServices.

Show Comments: OR