SEC-949: token-validity-seconds -1 Not Handled #1193

spring-issuemaster opened this Issue Aug 5, 2008 · 1 comment


None yet

1 participant


Matthew Reynard (Migrated from SEC-949) said:

When configuring remember-me services and token-validity-seconds is -1 would be nice to have it act like how the browser handles cookies of that age (for the life of the browser). This can be done by putting a expiry time for a few weeks or so on when the cookie is generated, and leaving the maxAge to -1.


Luke Taylor said:

I’ve added support for this to TokenBasedRememberMeServices. It allows the use of a negative value as the tokenValiditySeconds property. If the value is negative, the token expiryTime (as used in the signature) will remain at the default of 14 days, but the cookie maxAge will be set to the negative value, preventing it from being persisted on the client when the browser closes.

PersistentTokenBasedRememberMeServices will reject a negative value on initialization.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment