if session deleted, remember-me cookie is also deleted

Question

I'm learning Spring Security. I have a question about remember-me feature.

Here is my partial source.

If I close browser and open new one, the value of session cookie is same. If I delete session cookie using logout(.deleteCookies("JSESSIONID")), remember-me cookie is also removed.

I need below,

If a browser closed and new one opened, the value of session cookie is different. If session cookie is deleted using logout, remember-me cookie is kept.

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Autowired
    private ApplicationContext applicationContext;

    @Autowired
    AuthenticationService authenticationService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/resource/**", "/login", "/login-error").permitAll()

                .antMatchers("/admin/**").hasRole("ADMIN")
                .antMatchers("/user/**").hasRole("USER")

                .anyRequest().authenticated()
                .and()
            .formLogin()
                .failureUrl("/login?error")
                .defaultSuccessUrl("/main", true)
                .permitAll()
                .and()
            .logout()
                .logoutUrl("/logout")
                .logoutSuccessUrl("/login?logout")
                .deleteCookies("JSESSIONID")
                .permitAll()
                .and()
            .rememberMe()
                .rememberMeParameter("remember-me")
                .tokenValiditySeconds(60*2)
                .tokenRepository(persistentTokenRepository());

        http
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.NEVER);
        http
            .exceptionHandling()
                .accessDeniedPage("/login?error");
        http
            .sessionManagement()
                .invalidSessionUrl("/login");
    }

    @Bean
    public PersistentTokenRepository persistentTokenRepository() {
        JdbcTokenRepositoryImpl db = new JdbcTokenRepositoryImpl();
        db.setDataSource(dataSource);
        return db;
    }


    ... (other source)

Answer 1

If you use fluent API, by default your remember-me cookie is deleted, see Spring Security Reference:

10.24.1 Logout Java Configuration

When using the WebSecurityConfigurerAdapter, logout capabilities are automatically applied. The default is that accessing the URL /logout will log the user out by:

• Invalidating the HTTP Session
• Cleaning up any RememberMe authentication that was configured
• Clearing the SecurityContextHolder
• Redirect to /login?logout

But it looks like you could do it with your own implementation of RememberMeServices, see Spring Security Reference:

services-ref Allows complete control of the RememberMeServices implementation that will be used by the filter. The value should be the id of a bean in the application context which implements this interface. Should also implement LogoutHandler if a logout filter is in use.