How to Implement Remember-Me and Prevent Duplicate Logins in Spring Boot Security

Environment: Spring Boot 2.2.11.RELEASE

Please read “Spring Boot Security 防重登录及在线总数” and “Springboot Security 基础应用 (1)” first.

Related Configuration

Security configuration

<code>@Resource
private DataSource dataSource;
// Configure persistent login token
@Bean
public PersistentTokenRepository persistentTokenRepository() {
    JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
    tokenRepository.setDataSource(dataSource);
    return tokenRepository;
}
</code>

SQL script

Copy the CREATE_TABLE_SQL statement from JdbcTokenRepositoryImpl and execute it.

HttpSecurity configuration

<code>http.rememberMe()
    .tokenRepository(persistentTokenRepository())
    .userDetailsService(userDetailsService()) // UserDetailsService for remember‑me
    .tokenValiditySeconds(1800); // token validity period
</code>

Login page

<code>&lt;div class="c-row" style="height: auto;"&gt;
  &lt;input type="checkbox" class="checkbox-control" id="remember-me" name="remember-me"/&gt;
  &lt;label for="remember-me"&gt;记住我&lt;/label&gt;
&lt;/div&gt;
</code>

Note: the checkbox name attribute must be “remember‑me”. This enables the remember‑me function, so users stay logged in while the token is valid.

Test

After logging in, close and reopen the browser; you will not need to log in again. The following image shows the database table.

Source Code Analysis

From the first login, the request passes through UsernamePasswordAuthenticationFilter, which calls the parent class AbstractAuthenticationProcessingFilter’s doFilter method.

Then successfulAuthentication is invoked:

<code>successfulAuthentication(request, response, chain, authResult);
</code>

The loginSuccess method of AbstractRememberMeServices is called.

PersistentTokenBasedRememberMeServices’s onLoginSuccess method executes, using the tokenRepository configured earlier.

When the browser is reopened, RememberMeAuthenticationFilter’s doFilter runs (only if remember‑me is enabled).

The filter attempts to retrieve the authentication from the Security context; if absent, autoLogin is performed via AbstractRememberMeServices.

extractRememberMeCookie reads the remember‑me cookie, then processAutoLoginCookie validates the token, matches it with the database, and retrieves the username.

After confirming the token is not expired and extending its validity, the service loads the user details:

<code>return getUserDetailsService().loadUserByUsername(token.getUsername());
</code>

Finally, the user information is stored in the Security context, completing the remember‑me flow.

Done!