Home/ Questions/Q 878757
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T11:48:55+00:00

I’m curious how does Remember Me work and how does it work in Spring

  • 0

I’m curious how does Remember Me work and how does it work in Spring Security?

I understand that server sends long-lived cookies to the client. And then client sends cookie back and server can recognize the client because there’s something like hash-map on the server with relations cookie --> session.

I don’t understand how does the server [server-side application] recognize a client by cookie after server [Tomcat] has been restarted.

How and where does Spring Security save cookie-session map before server shutdown? Is it server-specific (i.e. something different is happened in Tomcat, Jetty etc)?

P.S. one more related problem with Spring Security and redeployment: even if I don’t tick RememberMe and log in, I’m still recognized after redeployment for about 3 mins. Is it fixable?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The Spring Security docs discuss how this actually works.

    This approach uses hashing to achieve a useful remember-me strategy. In essence a cookie is sent to the browser upon successful interactive authentication, with the cookie being composed as follows:

    base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))

    As such the remember-me token is valid only for the period specified, and provided that the username, password and key does not change. Notably, this has a potential security issue in that a captured remember-me token will be usable from any user agent until such time as the token expires. This is the same issue as with digest authentication.

    Basically the cookie contains the username, password, expiration time and a key (which you specify), all of which are hashed together. When your browser sends the contents of this cookie to the server, Spring Security:

    1. Retrieves the password from the backend for the given username
    2. Computes the md5Hex() of the username/password/etc from the database and compares it to the value in the cookie
    3. If they match – you are logged in! If not a match, then you’ve supplied a forged cookie or one of the username/password/key has changed.

    The underlying assumption here is that the hash function – the md5Hex() part above – provides a way to easily encode some piece of data in one direction yet is incredibly hard and unpractical to reverse (to recover the password from the md5Hex text).

    • 0