Matthew Reynard (Migrated from SEC-949) said:
When configuring remember-me services and token-validity-seconds is -1 would be nice to have it act like how the browser handles cookies of that age (for the life of the browser). This can be done by putting a expiry time for a few weeks or so on when the cookie is generated, and leaving the maxAge to -1.
Luke Taylor said:
I’ve added support for this to TokenBasedRememberMeServices. It allows the use of a negative value as the tokenValiditySeconds property. If the value is negative, the token expiryTime (as used in the signature) will remain at the default of 14 days, but the cookie maxAge will be set to the negative value, preventing it from being persisted on the client when the browser closes.
PersistentTokenBasedRememberMeServices will reject a negative value on initialization.