View Forum Topic

Forums
CS520
Spring Security "remembers" user unless logout clicked

Author	Message
jonathankroening Posts: 39	Posted 16:22 Feb 28, 2015 \| It would seem that Spring Security "remembers" the user that last logged in, unless a logout happens. Such as: after a crash, or after the server is stopped. The next time the app is run on server it won't intercept to the spring security login. It just remembers the last user. Any help on this behavior? Thanks.
cysun Posts: 2935	Posted 17:10 Feb 28, 2015 \| Just like everything else, Spring Security uses session/cookie to determine if a user has already logged in. When a Tomcat server is stopped, it tries to save session data, which will be loaded when the server starts again. If you don't close your browser (i.e. keep the cookie), when the server starts again, you can access the webapp without re-login because the browser and the server can re-establish the session. This behavior is the same with or without Spring Security.

Author

Message

jonathankroening

Posts: 39

Posted 16:22 Feb 28, 2015 |

It would seem that Spring Security "remembers" the user that last logged in, unless a logout happens.

Such as: after a crash, or after the server is stopped. The next time the app is run on server it won't intercept to the spring security login. It just remembers the last user.

Any help on this behavior? Thanks.

cysun

Posts: 2935

Posted 17:10 Feb 28, 2015 |

Just like everything else, Spring Security uses session/cookie to determine if a user has already logged in.

When a Tomcat server is stopped, it tries to save session data, which will be loaded when the server starts again. If you don't close your browser (i.e. keep the cookie), when the server starts again, you can access the webapp without re-login because the browser and the server can re-establish the session.

This behavior is the same with or without Spring Security.