Why does Spring the security remember-me implementation remove all active tokens upon logout?

Question

Is there any reason why logging off from one device removes all persistent login tokens (remember-me) for a user?

In my case for example a user can be logged in from desktop and tablet, and a user logging off from the desktop should not cause the remember-me token used by the tablet to be removed.

Current implementation in JdbcTokenRepositoryImpl only accepts a username:

public void removeUserTokens(String username) {
    getJdbcTemplate().update(removeUserTokensSql, username);
}

so I created a custom implementation of the RememberMeServices and PersistentTokenRepository that only allow a specific series to be deleted for a user:

public void removeUserTokens(String username, String presentedSeries) {
    getJdbcTemplate().update(removeUserTokensSql, username, presentedSeries);
}

Is this safe?

Answer 1

Remember me is not about being remembered after log out. If the user takes explicit action to log out, the remember me token should be invalidated. Think about someone using a public computer who accidentally selects remember me. If they explicitly log out, the remember me token must be invalidated.

Remember me is only about being remembered after session time out. The reason is that historically sessions were saved in memory. If there were too many active sessions, then it would cause out of memory errors. This is really not necessary now that the session can easily be stored in am external data store using something like Spring Session.