While implementing the "remember me" feature for a website, why do we complicate things and have a token called remember me token apart from a session token.
To the best of my understanding, remember me token can be used to login and create a new session token while the session token only lasts for a few minutes or till the time the user closes the browser. Why can't we increase the expiry duration of the session token itself to the desired time till which we want the user to be logged in?
I have a need to implement such a functionality in a flex based application running over tomcat and I wondering the need of remember me tokens
Also, is it possible to get this functionality out of the box within tomcat?
1) Sessions typically contain a whole bunch of data other than the user's login name. Therefore, if you just set the expiration date to a few weeks or months like a remember me token, you'd probably run into performance problems on the server due to thousands or millions of heavyweight session objects.
2) Remember tokens are client-side, not server-side. This puts all of the storage requirements on the user's browser, which is a better solution for simple data like login names. If you relied on session ID's linked to in-memory objects on the server, then every time you restart your server or the server process (to deploy an updated application, for instance), then all of those session objects would be lost.