Spring Security - Remember Me

The Remember Me feature in Spring Security allows users to remain authenticated even after closing and reopening the browser. It works by storing authentication information in a cookie and validating it on subsequent visits. This improves user experience by eliminating the need to log in repeatedly while maintaining secure authentication mechanisms.

• Allows users to stay logged in across browser sessions.
• Uses cookies to store authentication information.
• Supports both token-based and database-backed persistent authentication.

Ways to Implement Remember Me

Spring Security provides two approaches for implementing Remember Me authentication:

1. Hash-Based Token Approach

• Stores a token inside a browser cookie.
• Token is generated using username, password, expiration time, and a secret key.
• Does not require database storage.

2. Persistent Token Approach

• Stores generated tokens in a database.
• Uses a persistent_logins table for token management.
• More secure because tokens can be invalidated individually.

Step-by-Step Implementation

We are taking the Persistent Token Approach in which a database or other persistent storage mechanism is used, and it is helpful to store the generated tokens.

Step 1: Create a Spring Boot Application

• create a Spring Boot application then we need to import our project to the IDE (STS or IntelliJ IDEA)
• Create packages and classes

Project Structure:

Add the following dependencies:

• Spring Boot Starter Web
• Spring Boot Starter Security
• Spring JDBC
• MySQL Connector
• JSP and Servlet dependencies

This is a maven-driven project

Step 2: Database Configuration

Create a MySQL database and required tables. Add these tables:

• users : Stores usernames and passwords.
• authorities :Stores user roles.
• persistent_logins : Stores remember-me tokens.

CREATE TABLE users(

username VARCHAR(50) PRIMARY KEY,

password VARCHAR(100) NOT NULL,

enabled BOOLEAN NOT NULL

);

CREATE TABLE authorities(

username VARCHAR(50),

authority VARCHAR(50)

);

CREATE TABLE persistent_logins(

username VARCHAR(50) NOT NULL,

series VARCHAR(64) PRIMARY KEY,

token VARCHAR(64) NOT NULL,

last_used TIMESTAMP NOT NULL

);

Step 3: Insert Sample Data

Let us insert a few data into the users and authorities table for testing purposes

-- Let us create a user with admin and password as password@123
-- While storing into the database let us store as encoded password with BCryptPasswordEncoder
-- For password@123, it will be $2a$10$USD5XrNWIpf2sLnGJ62/v.hTtSIY1vdeF7v8Y4YaNJhTftbX1HBwi
insert into users(username,password,enabled)
values('admin','$2a$10$hbxecwitQQ.dDT4JOFzQAulNySFwEpaFLw38jda6Td.Y/cOiRzDFu',true);
insert into authorities(username,authority)
values('admin','ROLE_ADMIN');

To get the encoded password, by using a sample code, we can get it:

Step 4: Configure Database Connectivity

Create a database.properties file.

• Connects Spring Boot to MySQL.
• Provides credentials and connection details.

spring.datasource.url=jdbc:mysql://localhost:3306/your_database?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC

spring.datasource.username=root

spring.datasource.password=yourpassword

spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver

Step 5: Create Application Configuration

Create a configuration class to define the DataSource bean.

• Establishes database connectivity.
• Makes the DataSource available throughout the application.

ApplicationConfiguration.java:

Step 6: Spring Security Configuration

Create a security configuration class and enable Remember Me functionality.

• Configure authentication and authorization.
• Enable form login.
• Enable Remember Me support.

WebSecurityConfiguration.java:

Note: The encoded password must be stored in the database.

Step 7: Spring MVC Configuration

Configure JSP view resolution.

• Maps logical view names to JSP files.
• Handles navigation between views.

WebConfiguration.java:

Step 8: Configure Servlet Initialization

Create an initializer class to load Spring configurations.

• Loads database configuration.
• Loads Spring Security configuration.

MvcWebApplicationInitializer.java:

Step 9: Create Controller

The controller class to handle requests and display messages.

SampleContoller.java:

Step 10: Create JSP Views

login.jsp:

• Username field
• Password field
• Remember Me checkbox
• Login button

index.jsp- Displays:

• Welcome message
• Logged-in username
• Logout button

Step 11: Build and Run the Application

As this is the maven project, first let us build the application from the command prompt as follows:

mvn clean install

Output:

Run the application by using below command:

mvn jetty:run

Output:

Step 12: Test the Remember-Me Feature

Let us test now by hitting -> http://localhost:8080/

admin/password@123 has to be given as credentials. As it is the user available in the user's table and that password is kept in an encoded way. As the remember me option is selected, in the database, we can see an entry under 'persistent_logins'

At the same time, we can check the same under cookies as well. As the chrome browser is used, let us check that via chrome browser settings options

When the Remember Me option is selected, Spring Security stores authentication information in a cookie and saves a token in the database. As long as the cookie remains valid and is not deleted, users can close and reopen the browser and still be automatically logged in without entering their credentials again.

Advantages of Remember Me

• Improves user experience by reducing repeated logins.
• Enables automatic authentication across browser sessions.
• Supports secure token-based authentication.
• Persistent token approach provides better security.
• Useful for e-commerce, banking dashboards, and enterprise applications.