RememberMe Cookie Cleared in Logout

[rubens]

I am using the rememberme parameter in my login form, and I see that the rememberme cookie is being properly set after a sucess login.

However, when I click on the generic logout link (/j_security_logout.do) I see that the rememberme cookie is cleared -- that is an empty rememberme cookie is returned to the browser on the response.

I do *not* want the generic logout to clear the rememberme cookie. Instead, I only want to clear the rememberme cookie if the *rememberme* logout link (/j_security_rememberMe_logout.do) is clicked instead.

Am I doing something wrong below? Do I need to implement a special remember logout filter?

HTML Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
  xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:p="http://www.springframework.org/schema/p"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

  <!--
    * @(#) $Id: spring-security.xml 3680 2011-01-28 06:31:58Z rgomes $
  -->

  <http entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/css/**" filters="none" />
    <intercept-url pattern="/js/**" filters="none" />
    <intercept-url pattern="/image/**" filters="none" />

    <intercept-url pattern="/ssl/**" requires-channel="https" />
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <intercept-url pattern="/secure/**" access="ROLE_USER,ROLE_ADMIN" />

    <access-denied-handler ref="accessDeniedHandler" />

    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
    <custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" />
    <custom-filter before="LOGOUT_FILTER" ref="rememberMeLogoutFilter" />

    <logout logout-url="/j_security_logout.do" />

    <remember-me services-ref="rememberMeServices" />

    <session-management invalid-session-url="/security/session-timeout.do"
         session-authentication-strategy-ref="sessionControlStrategy" />

    <anonymous enabled="false" />
  </http>

  <authentication-manager alias="authenticationManager">
    <authentication-provider ref="formAuthenticationProvider" />
    <authentication-provider ref="rememberMeAuthenticationProvider" />
  </authentication-manager>


  <!--  AUTHENTICATION ENTRY POINT -->

  <beans:bean
    id="authenticationEntryPoint"
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
    p:loginFormUrl="/ssl/security/login.do"
    p:forceHttps="false" />


  <!-- SECURITY CONTEXT PERSISTENCE FILTER -->

  <beans:bean
    id="securityContextPersistenceFilter"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />


  <!--  CONCURRENCY SESSION FILTER -->

  <beans:bean
    id="concurrencyFilter"
    class="org.springframework.security.web.session.ConcurrentSessionFilter"
    p:sessionRegistry-ref="sessionRegistry"
    p:expiredUrl="/ssl/security/login.do" />
  <beans:bean
    id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />


  <!--  ACCESS DENIED HANDLER  -->

  <beans:bean
    id="accessDeniedHandler"
    class="com.softlagos.service.appservice.impl.AccessDeniedHandlerImpl"
    p:action="/security/access-denied.do" />


  <!-- USERNAME PASSWORD AUTHENTICATION FILTER -->

  <beans:bean
    id="authenticationFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
    p:authenticationManager-ref="authenticationManager"
    p:filterProcessesUrl="/ssl/j_security_check.do"
    p:rememberMeServices-ref="rememberMeServices"
    p:authenticationSuccessHandler-ref="authenticationSuccessHandler"
    p:authenticationFailureHandler-ref="authenticationFailureHandler" />


  <!--  REMEMBER ME FILTERS  -->

  <beans:bean
    id="rememberMeFilter"
    class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"
    p:rememberMeServices-ref="rememberMeServices"
    p:authenticationManager-ref="authenticationManager" />


  <beans:bean
    id="rememberMeLogoutFilter"
    class="org.springframework.security.web.authentication.logout.LogoutFilter"
    p:filterProcessesUrl="/j_security_rememberMe_logout.do">
    <beans:constructor-arg value="/" />
    <beans:constructor-arg>
      <beans:list>
        <beans:ref
          bean="rememberMeServices" />
        <beans:bean
          class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
      </beans:list>
    </beans:constructor-arg>
  </beans:bean>


  <!-- EXCEPTION TRANSLATION FILTER -->

  <beans:bean
    id="exceptionTranslationFilter"
    class="org.springframework.security.web.access.ExceptionTranslationFilter"
    p:authenticationEntryPoint-ref="authenticationEntryPoint"
    p:accessDeniedHandler-ref="accessDeniedHandler" />


  <!--  AUTHENTICATION PROVIDERS -->

  <beans:bean
    id="formAuthenticationProvider"
    class="com.softlagos.service.appservice.impl.FormAuthenticationProviderImpl" />

  <beans:bean
    id="rememberMeAuthenticationProvider"
    class="org.springframework.security.authentication.RememberMeAuthenticationProvider"
    p:key="EzLista" />


  <!--  SUPPORTING BEANS -->

  <beans:bean
    id="sessionControlStrategy"
    class="com.softlagos.service.appservice.impl.MyConcurrentSessionControllerImpl"
    p:maximumSessions="3"
    p:messageSource-ref="messageSource"
    p:exceptionIfMaximumExceeded="true"
    p:accountService-ref="accountService">
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
  </beans:bean>

  <beans:bean
    id="rememberMeServices"
    class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"
    p:userDetailsService-ref="userDetailsService"
    p:parameter="rememberMe"
    p:cookieName="${contacts.rememberMeCookieName}"
    p:tokenValiditySeconds="${contacts.tokenValiditySeconds}"
    p:key="EzLista" />

  <beans:bean
    id="authenticationSuccessHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
    p:defaultTargetUrl="/secure/addressbook/address-book.do" />

  <beans:bean
    id="authenticationFailureHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
    p:defaultFailureUrl="/ssl/security/login.do?login_error=1"
    p:useForward="false" />

  <beans:bean
    id="authenticationLoggerListener"
    class="org.springframework.security.authentication.event.LoggerListener" />

  <beans:bean
    id="eventsLoggerListener"
    class="org.springframework.security.access.event.LoggerListener" />

  <beans:bean
    id="passwordEncoder"
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />

  <beans:bean
    id="passwordSaltSource"
    class="org.springframework.security.authentication.dao.SystemWideSaltSource"
    p:systemWideSalt="APPLICATION_SALT_1243#@!jA4D_do_not_change" />

  <beans:bean
    id="userDetailsService"
    class="com.softlagos.service.appservice.impl.UserDetailsServiceImpl" />
</beans:beans>

[Rob Winch]

If the user logs out the RememberMeServices cleans up all the remember me data (i.e. db and removes the cookie). The intent of Remember Me is if they close their browser and come back that they are automatically logged in, but if the logout they are actually logged out (otherwise why would they have logged out?). If you still want to change this behavior, you will need to provide your own way of cleaning up after the RememberMeServices (i.e. ensure you clean up the database and selectively removing the cookie). One way of doing this would be to extend the current implementation and override the logout method.

[sand_sio2]

RememberMe functionality is creating cookie and when i click on login page link authenticationsuccesshandler is not invoked

[Rob Winch]

It is best to start a new thread when discussing something new. In the future please do this.

I'm not sure I understand what you are trying to do and what is actually happening. The first post stated you are that the rememberme cookie expires when the browser is closed and the next states the AuthenticationSuccessHandler does not get invoked when going to the login page. The AuthenticationSuccessHandler will not get invoked unless you are successfully logged in. If you are wanting to have the AuthenticationSuccessHandler occur when you are logged in via the Remember Me functionality you need to specify an authenticaiton-successhandler-ref on the <security:remember-me /> element.