I am working with Flex and Spring on a project, where I need to authenticate my users to give them the chance to build their personal profiles.

On my services side I made two very simple methods login and logout, which the Flex client calls through a remote object. What I noticed, though, is that apart from the JSESSIONID cookie, Spring doesn’t set any other authentication specific cookie. Thus, when I try to do something auth specific, for example logging out, or requesting data from a specific service, the server breaks my client state, because the session might have expired. However, the client doesn’t know anything about that.

In fact, I don’t want sessions to expire at least until I close the browser completely. The normal JSESSION expiry time is 30 mins, I think, which, if we speak about the server is completely understandable, since the server must have a reasonably timely management of the sessions (resp. threads) being open.

That’s why I need a second AUTH cookie, which by default expires on browser close. However, I am also thinking f implementing something like “Remember me” which should increase the expiry date with 14 days.

BTW, I assumed that Spring Security takes care of this automatically, by setting an AUTH cookie by default, but this is not the case. I think that it at least the authentication instance with the current session, since, after I log in, all the security rules I have take place absolutely fine …. until the Jsession expires, of course.

NOTE: Whatever you propose, please have in mind that there is also an AJAX client under development, which will more or less use the same infrastructure, so the cookie solution has to apply to both.

Thanks.