Spring Security "Remember Me" cookie gets deleted on browser closed event

Question

I've followed Spring Security's instructions and managed to authenticate my users using JDBC in a Spring Boot project with "Remember Me" feature enabled (and setAlwaysRemember(true)). The "Remember Me" cookie gets created in the client's browser and the Token gets inserted into the "presistent_logins" table without fail.
But here comes the dilemma, When the client closes the browser, the "Remember Me" cookie gets removed automatically, which somehow makes all my effort effectless. what would be the point of having Remember Me feature, if the cookie which is an essential requirement, gets removed on every browser closed event. Therefore, the user has to do the login all over again.

Here is a picture that shows the remember me cookie has been created after a successful login.

Do I have to take some special measures to make sure that the cookie gets preserved in the browser?

Chrome >>

Firefox >>

Answer 1

It's not the browser who is clearing the remember-me cookie. It's your spring app which tells the browser to clear that cookie (by giving an old expiry time).

So why does spring do that?

Because internally spring is throwing BadCredentialsException. You should debug RememberMeAuthenticationProvider class to make sure why it's throwing that exception.

In my case, the remember-me secret key was different than the one I used in my PersistentTokenBasedRememberMeServices class.

So please debug your application to find out the root cause of it...

Answer 2

Finally had to use normal mode of Remember Me feature (not DB persistence mode) in order to have this working. :( When I use DB to persist session information, upon closing the browser, the "remember-me" session vanishes somehow!