How remember me feature works?

About

Asked 22/2, 2015 at 12:26 Answered 22/2, 2015 at 14:48

Solved java session cookies web-applications remember-me

Definition of "Remember Me" feature is

When you check the "Remember Me" checkbox at the Portal Login page, your login will be remembered for some days, even after you close your browser. The next time you open the same browser within that time period, you will be automatically logged in.

I did not get how it actually works internally.

say I hit the app1 and logs in with my credentials. webserver creates the user object and stores it in session. now whenever I hit app1 from tabs(same or different) of the same browser instance, cookies will be sent to and fro. Makes sense.

But Once I close the browser and open the new window, and hit the app1. A new set of cookies will be sent (not the previous one) and webserver will create the new session and ask for the credentials.

So I am really not getting how remember me works once browser is closed and new window is opened?

Demers answered 22/2, 2015 at 12:26 Comment(0)

The remember-me feature typically works by generating a unique cookie, associating it with the user in the database, and adding a persistent cookie (i.e. a cookie which is saved on disk by the browser) to the response once the user is logged in.

When the user opens the browser again and goes back to the app, the browser sends this cookie, and the server finds if any user has this cookie in the database. If the user is found, he's automatically authenticated and a new session is started for this cookie.

Cue answered 22/2, 2015 at 14:48 Comment(6)

JB Nizet But as per my understanding cookies are sent as long as app is hit from same browser instance(i.e either from same browser window or from another tab in same browser window). But as soon as you hit the same app url from altogether new browser window , cookies are not shared. Is that not correct? – Demers 22/2, 2015 at 15:13

If you use Firefox, accept a persistent cookie, shutdown your machine, and restart firefox, the query will be sent to the server. Of course, if you start Chrome instead of Firefox, or Firefox on another machine, the cookie won't be there. – Cue 22/2, 2015 at 15:50

i tried hitting my we app from firefox and noted the jSessionId . Closed the browser and hit webapp from firefox again, i could see new jsessionId. looks like different cookies are sent otherwise jsessionId would have been same. Right? – Demers 22/2, 2015 at 16:17

jsessionis is a session cookie. It isn't persistent. The remember-me feature uses a different, persistent cookie. – Cue 22/2, 2015 at 16:19

oh got you. It means persistent cookies are deleted on logout(because server must have directed browser to do so) not on browser exit but session cookies may be deleted or not depending on browser settings. Hope it is correct now? – Demers 22/2, 2015 at 17:13

No. Persistent cookies are kept by the browser until they expire, or until the server tells the browser to delete it. Session cookies expire when the browser closes, or when the server tells the browser to delete it. – Cue 22/2, 2015 at 17:15

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags