Disable Remember-Me in Spring Security and Tomcat
I wonder if there is a way to disable mem-me in Spring Security? The scenario I want to implement is quite common: after closing the browser window, I would like the user's session to expire. It seems strange, but it doesn't work with Tomcat 7 and Spring Security 3.1. We are using auto-config in the Spring Security configuration file, but the mem-me element is missing.
What's the best solution for it to work? Thanks in advance!
Update Here is a use case to clarify my problem:
- User enters a restricted area, say /secure.html
- Then it closes the browser without manually logging out.
- It opens the browser again and goes directly to /secure.html.
- Current Spring Behavior: The page renders successfully. Expected Behavior: Redirect to the login page.
New Symptoms for Differential Diagnosis: User is probably re-authenticated because JSESSIONID is being closed / opened in the same browser. How can I force Tomcat or Spring to create a new session for each browser session?
Update Snippet Spring Security Configuration:
<http auto-config="true">
<anonymous key="anonymous-security" />
<intercept-url pattern="/auth/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<form-login login-page="/auth/login.html"
default-target-url="/auth/default.html"
authentication-failure-url="/auth/failed.html" />
<logout logout-success-url="/auth/logout.html" delete-cookies="JSESSIONID" />
</http>
Update The documentation states that there is no default configuration in auto-config = "true" since 3.0 (we are using 3.1):
Prior to 3.0, this list also included remember-me functionality. This can lead to some confusing bugs with some configurations and was removed in 3.0.
What's wrong with my web app?
source to share
In my implementation with the latest Spring Security and Tomcat 6, I am using the following configuration: is it similar to yours?
<http use-expressions="true" access-denied-page="/Error.xhtml">
<intercept-url access="isAuthenticated()" pattern="/secure.xhtml"/>
<form-login />
<logout invalidate-session="true" logout-success-url="/search.xhtml"/>
</http>
source to share
You can try adding logouthandler
to set up your local session:
<!-- Logout handler terminating local session -->
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="true" />
</bean>
It actually defaults to true, so you probably don't need to set the property.
source to share
Clarifying the problem:
I faced the same problem: my browser will remember my user.
Usually: after logging in to access the restricted area, close the browser, then close it again and enter the same restricted area that I will let me access it when I expect you to be prompted for credentials.
One important thing I noticed after playing the game is this behavior is NOT JOINT across browsers :
- Eclipse plug-in browser remembers after closing
- Chrome remembers after closing
- IE (9) DOES NOT remember after closing
- Firefox (16.0.1) DOES NOT remember after closing
- Safari (5.1.7 for Windows) DOES NOT remember after closing
Other browser types and versions can be checked ...
Decision:
- A workaround might be to try to detect when the user closes their browser and force a logout when this happens. Not too sure how much this is possible.
There might be a better solution, I'll update this answer if I find it.
source to share