Shiro源码——记住我功能实现原理

Posted 2022-02-02 敲代码的小小酥

在分析login源码时，我们看到了记住我功能是SecurityManager的login方法的这行代码:

onSuccessfulLogin(token, info, loggedIn);

下面分析这行代码的源码:
一顿点击方法，进入关键方法:

protected void rememberSerializedIdentity(Subject subject, byte[] serialized) 

        if (!WebUtils.isHttp(subject)) 
            if (log.isDebugEnabled()) 
                String msg = "Subject argument is not an HTTP-aware instance.  This is required to obtain a servlet " +
                        "request and response in order to set the rememberMe cookie. Returning immediately and " +
                        "ignoring rememberMe operation.";
                log.debug(msg);
            
            return;
        


        HttpServletRequest request = WebUtils.getHttpRequest(subject);
        HttpServletResponse response = WebUtils.getHttpResponse(subject);

        //base 64 encode it and store as a cookie:
        String base64 = Base64.encodeToString(serialized);

        Cookie template = getCookie(); //the class attribute is really a template for the outgoing cookies
        Cookie cookie = new SimpleCookie(template);
        cookie.setValue(base64);
        cookie.saveTo(request, response);
    

可以看到，最终将登陆信息，放入了session中。看SimpleCookie源码:

可以看到，这里设置了cookie的最大过期时间。所以，记住我的核心就是设置cookie的过期时间。
然后在UserFilter过滤器中，获取cookie中的用户信息，如果获取到，则放行，表示登陆成功。