Flat Preloader Icon

Spring Security Remember Me

Spring Security provides a “Remember Me” feature that allows users to stay logged in even after they close and reopen the web application. This feature is typically implemented using a persistent token, such as a cookie, to remember the user’s identity. Here’s how you can implement the “Remember Me” feature in a Spring Security application:

Configure Remember Me:

In your Spring Security configuration class, enable the “Remember Me” feature using the .rememberMe() method. You need to specify a key for generating the remember-me cookie and, optionally, a custom userDetailsService if you want to load user details from a custom source.

				
					import org.springframework
.context.annotation.Bean;
import org.springframework
.context.annotation.Configuration;
import org.springframework.security
.config.annotation.web.builders.HttpSecurity;
import org.springframework.security
.config.annotation.web.configuration
.EnableWebSecurity;
import org.springframework.security
.core.userdetails.User;
import org.springframework.security
.core.userdetails.UserDetails;
import org.springframework.security
.core.userdetails.UserDetailsService;
import org.springframework.security
.provisioning.InMemoryUserDetailsManager;
import org.springframework.security
.config.annotation.authentication
.builders.AuthenticationManagerBuilder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends 
WebSecurityConfigurerAdapter {

    @Bean
    @Override
    public UserDetailsService 
    userDetailsService() {
        UserDetails user = User
        .withDefaultPasswordEncoder()
            .username("user")
            .password("password")
            .roles("USER")
            .build();
return new InMemoryUserDetailsManager(user);
    }

    @Override
    protected void configure
    (HttpSecurity http) throws Exception {
        http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/private/**").authenticated()
.and().formLogin()
.loginPage("/login")
.defaultSuccessURL("/dashboard")
.permitAll().and().logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.permitAll().and()
 .rememberMe() // Enable Remember Me
.key("my-remember-me-key"); 
    }
}

				
			

In this example, we’ve enabled Remember Me using .rememberMe() and specified a unique key for generating the remember-me cookie using .key("my-remember-me-key"). You can choose any key you like, but it should be unique to your application.

Create a Logout Controller (Optional):

If you want to provide users with the option to log out of the “Remember Me” session explicitly, you can create a logout controller and a logout button or link.

				
					import org.springframework
.stereotype.Controller;
import org.springframework.web
.bind.annotation.GetMapping;

@Controller
public class LogoutController {

    @GetMapping("/logout")
    public String logout() {
       
        return "redirect:/login";
    }
}

				
			

In this example, the /logout endpoint performs the logout operation, which includes clearing the remember-me cookie.

With these steps, your Spring Security application will have the “Remember Me” feature enabled. Users can choose to stay logged in even after they close their browsers. When they revisit the application, they will be automatically logged in using the remember-me cookie until it expires or is explicitly cleared. Customize your application further as needed to meet your specific requirements.

Share on: