Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-949: token-validity-seconds -1 Not Handled #1193

spring-issuemaster opened this Issue Aug 5, 2008 · 1 comment


None yet
1 participant

Matthew Reynard(Migrated from SEC-949) said:

When configuring remember-me services and token-validity-seconds is -1 would be nice to have it act like how the browser handles cookies of that age (for the life of the browser). This can be done by putting a expiry time for a few weeks or so on when the cookie is generated, and leaving the maxAge to -1.

Luke Taylor said:

I’ve added support for this to TokenBasedRememberMeServices. It allows the use of a negative value as the tokenValiditySeconds property. If the value is negative, the token expiryTime (as used in the signature) will remain at the default of 14 days, but the cookie maxAge will be set to the negative value, preventing it from being persisted on the client when the browser closes.

PersistentTokenBasedRememberMeServices will reject a negative value on initialization.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment