Document that a custom CookieSerializer might break Remember Me

[OneGeek]

I think that the docs update made for #1157 does not actually solve the problem because although SpringSessionRememberMeServices does call request.setAttribute(REMEMBER_ME_LOGIN_ATTR, true); it doesn't ensure cookieSerializer.setRememberMeRequestAttribute(REMEMBER_ME_LOGIN_ATTR); gets called, which is necessary for DefaultCookieSerializer to know to check if the attribute is actually set on the request.

So the example present docs for customizing the session cookie will break remember me, and nothing elsewhere in the documentation accounts for this.

[marcusdacoregio]

Hi, @OneGeek. Thanks for the report.

Nice catch, I think that in addition to improving the documentation it would be worth adding a warning log if they are using SpringSessionRememberMeServices and their DefaultCookieSerializer does not have the rememberMeRequestAttribute set.

It is important to remember folks that if you let Spring Session create the cookie serializer for you it already takes care of setting the rememberMeRequestAttribute.