spring-securityjettyremember-mesession-replication

Spring "Remember Me" not working with jetty and session replication


I am using Jetty 8 and currently have two instances set up and running behind a round robin load balancer. I have configured it use session replication via MongoDB. My application uses spring security. It is working great with two exceptions. I will include one here, and the other in another question.

  1. Spring Security's "Remember Me" does not work correctly. If a user logs in and requests "Remember me", then it will work fine, assuming the users future authentication requests hit the particular node that was hit during the original login. However, if a future auth request hits a different node, that node appears to be ignorant of the "Remember me" request and therefore prompts the user for credentials.

Does anyone have any suggestions? I'm about to start digging into the implementation of spring security's remember me code and jetty-nosql, but would love it if someone could save me some time.

Additionally, I have tried both the cookie hash-based "remember me" token as well as the db persisted "remember me" token approach, and both have the same issue.


Solution

  • The solution is to use the db persisted "remember me" token approach. In our situation, we used org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.

    It turns out that our first attempt at using the db persisted token approach was simply implemented in error. When we did it correctly, it worked fine and solved our remember me problem.