Hippo spark (Migrated from SEC-1726) said:
While uses 'PersistentTokenBasedRememberMeServices' as remember-me service, if one user login twice or more times from different place, and then one of them logout, thus will remove all login token from the persistent token repository. I think it's better that just remove the current login token instead of remove all the user's token.
Add method 'removeToken' in PersistentTokenRepository:
public interface PersistentTokenRepository { void createNewToken(PersistentRememberMeToken token); void updateToken(String series, String tokenValue, Date lastUsed); PersistentRememberMeToken getTokenForSeries(String seriesId); void removeUserTokens(String username); void removeToken(String series); // add }
Modify the method 'logout' in PersistentTokenBasedRememberMeServices:
@Override public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { super.logout(request, response, authentication);
if (authentication != null) {
// Remove the follow line
// tokenRepository.removeUserTokens(authentication.getName());
/** Append the following **/
String rememberMeCookie = extractRememberMeCookie(request);
if (rememberMeCookie == null) {
return;
}
String[] cookieTokens = decodeCookie(rememberMeCookie);
if (cookieTokens.length == 2){
String seriesId = cookieTokens[0];
tokenRepository.removeToken(seriesId);
}
}
}
Comment From: spring-projects-issues
Luke Taylor said:
The safest option is to clear all persistent login information when a user logs out and I think that should remain the default behaviour.
You can easily customize the behaviour if you wish, but the overhead of having to log in again is minimal.
Comment From: spring-projects-issues
Mike Jax said:
I don't think it's more safe to logout everywhere, maybe at home, i'd like to stay logged in, and in other places (work) i'd like to logout.
This is forcing the trade of functionality for safety and I don't like it. People will probably start using the more unsafe 'remember password' mode in their browsers to overcome this.
Comment From: Dominik355
I know this thread is 8 years old , but i am struggling to find anything about, how to override PersistentTokenBasedRememberMeServices logout() method. If i create this class
`@Service public class CustomRememberMeService extends PersistentTokenBasedRememberMeServices {
public CustomRememberMeService(String key, MyUserDetailsService userDetailsService, PersistentTokenRepository tokenRepository) {
super(key, userDetailsService, tokenRepository);
}
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
super.logout(request, response, authentication);
}
}`
it does nothing, the logout method is not even called. I tried to create a bean of this class of type AbstractRememberMeServices in a configuration class. Thanks for help
Comment From: jzheaux
@Dominik355, sorry you are having trouble. Have you already tried to register it in the DSL, like so:
http
.rememberMe((remember) -> remember
.rememberMeServices(customRememberMe)
)
// ...
If you are still stuck, please consider asking a question on Stack Overflow instead of posting to an old ticket. You'll likely get more visibility and hopefully more answers that way. It would also be helpful in that question to hear why you are wanting to override the logout method as there may be a simpler way to achieve your larger goal.
Comment From: Dominik355
i posted, no answers yet, its been few weeks now. I am trying to override it, to change deleting remember-me tokens policy. At that logout method, all users's remember-me tokens are being deleted, i would like to change that, to delete just token related to device where user logged off. So tokens from other devices will be still stored. Thank you
Comment From: jzheaux
What is the Stack Overflow link? I'm happy to take a look. Also, what was the result of registering your custom RememberMeServices in the DSL?