I'm curious how does Remember Me work and how does it work in Spring Security?
I understand that server sends long-lived cookies to the client. And then client sends cookie back and server can recognize the client because there's something like hash-map on the server with relations cookie --> session
.
I don't understand how does the server [server-side application] recognize a client by cookie after server [Tomcat] has been restarted.
How and where does Spring Security save cookie-session
map before server shutdown? Is it server-specific (i.e. something different is happened in Tomcat, Jetty etc)?
P.S. one more related problem with Spring Security and redeployment: even if I don't tick RememberMe
and log in, I'm still recognized after redeployment for about 3 mins. Is it fixable?