I’m using Spring Framework 3.0.5 and Spring Security 3.0.5 for developing a webapplication where users can log in and log out, using Remember-Me-Service, if they want to.

As I don’t have pretty much experience, I wonder if it’s working correctly. I use PersistentTokenApproach (with my own implementation, because I use Hibernate.) I can see the cookie is created on login and deleted on logout.
If I have an valid Remember-Me-Cookie and close the Browser, Im successfully logged in again when I open the browser again. So far, so good.

Now, I’d just like to know if those things I noticed are working as they are expected to or if I maybe did make a mistake.

1) When a user logs in without remember-me and the browser-tab is closed (not the browser itself), on reopening a new browser-tab he is still authenticated (he’s using the same JSESSIONID). When closing the browser and reopening again, he isn’t authenticated anymore. Regarding the security of a webapplication, is this a recommended (“normal”) behaviour?

2) When remember-me used and the user is successfully authenticated (by login or later by cookie), there are no more checks on the cookie. that means, if meanwhile the user is online I’d delete the cookie from the database, the user would still be logged in, allowed to watch even the secured pages. I guess this happens because he was authenticated before and keeps using the same SESSIONID. When I close the browser and reopen it again, he isn’t authenticated anymore.

3) When I dont own a cookie and open the main page, for every request I send (every picture, every file on the page) the server is checking for the rememberme-cookie. Is that correct?

Sorry for the newbie-questions, but I just want to make sure everything is working as it should. 🙂 Thanks in advance!