How to configure Remember-Me authentication by Hash-Based Token Approach

Remember-me authentication is a solution for web sites to remember the identity of a user between sessions. In the tutorial, JavaSampleApppoach will show you way to configure remember-me by Hash-Based Token Approach (Cookie-based tokens) with Spring Boot.
Related Articles:
How to configure Persistent Token Remember Me authentication Approach
Spring Security – Config Security for Web MVC by Spring Boot

I. Remember-Me Authentication

Having 2 approaches for remember-me authentication

1. Cookie-based tokens

– After user login sucessfully, a cookie is sent to the browser which being composed by:

base64(username + “:” + expirationTime + “:”
+ md5Hex(username + “:” + expirationTime + “:” password + “:” + key))

key: a private key to prevent modification of the remember-me token.

remember-me token is valid for expirationTime, & the username, password and key does not change in the period time. If a token has been captured, users can change their password then remember-me tokens will be invalid.

2. Use a database to store the generated tokens

Create a table with name persistent_logins to save tokens. So we need to specify a datasource for remember-me configuration.

II. Technologies

– Java 1.8
– Maven 3.3.9
– Spring Tool Suite – Version 3.8.1.RELEASE
– Spring Boot: 1.5.1.RELEASE

III. Practice – Cookie-based tokens

Step to do
– Create SpringBoot project
– Create Controller & Views
– Configure remember-me security
– Run & Check results

1. Create SpringBoot project

Open Spring Tool Suite, on main menu, choose File->New->Spring Starter Project, add project info, then press Next for needed dependencies:
– For Security, choose Core->Security
– For Template Engines, choose Thymeleaf
– For Web MVC, choose Web->Web

springsecurity remember-me authentication dependencies

Open pom.xml, check dependencies:

2. Create Controller & Views

– Create a simple controller WebController:

– Create 2 views:

login.html with Remember Me checkbox:

3. Configure remember-me security

Configure only one account: user/user for testing.

Full Sourcecode

4. Run & Check results

Build & Run the project with SpringBoot App mode.

4.1 Check with normal cookie

Make the firstly request: http://localhost:8080 -> login page will be redicted immediately, use account: user/user for authentication, But NOT check Remember me.
=> Result: Login successfully, having 1 cookie: JSESSIONID

springsecurity remember-me authentication see-cookies - one

– Delete JSESSIONID and make above request again: http://localhost:8080 => login page will be re-direct immediately for authentication again.

4.2 Check with Remember-me cookie

– Login with account: user/user, But check Remember me
=> Authentication successfully. Having 2 cookies: JSESSIOINID & javasampleapproach-remember-me.

springsecurity remember-me authentication see-2 cookies

javasampleapproach-remember-me cookie has 1 day for expired time.
Remove JSESSIONID cookie, then make the request: http://localhost:8080
-> NOT redirect to login page (because having javasampleapproach-remember-me cookie)

– Remove javasampleapproach-remember-me cookie, then make the request: http://localhost:8080, login page will be redirect >>> Right!

It works fine!

IV. SourceCode


By grokonez | April 16, 2017.

Related Posts

1 thought on “How to configure Remember-Me authentication by Hash-Based Token Approach”

Got Something To Say:

Your email address will not be published. Required fields are marked *