Announcement Announcement Module
No announcement yet.
Using Remember Me with Asynchronous Requests? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using Remember Me with Asynchronous Requests?


    I'm attempting to use spring security's Persistent Token Remember Me authentication for a group of applications. However, I believe I'm running into a problem with how the remember me token is incremented on every validation request.

    I've read the documentation for why this is done (to identify "old" token values and trigger cookie theft exceptions) but I'm having difficulty understanding how this is supposed to work with asynchronous requests, or if it's even possible. My understanding is that if an app's front-end fires off numerous AJAX requests to a back-end using remember me authentication then each of those requests will be validated and trigger an increment of the token to the next value in its series. However, because these requests are all fired asynchronously, I can't guarantee that the "newest" token value will be returned last, or that each AJAX call after the first will even validate.

    Is there any established solution for this problem? I understand that preventing cookie theft is a best-practice for remember me implementations, but I can't find any information on making this work with AJAX or other asynchronous requests. Most old issues I find via google on this topic involve just disabling remember me for app resources like images and stylesheets, but I can't disable security for actual service calls.

    Thanks for any info you can provide,

  • #2
    After you authenticated with remember me the session should store the current user. In that instance the remember me is no longer used (because the user is restored from session).