<p/> When you visit Amazon.com and perform a login and ask it to 'remember me', it will set a cookie with your identity. If you don't log out and your session expires, and you come back, say the next day, Amazon still knows who you <em>probably</em> are: you still see all of your book and movie recommendations and similar user-specific features since these are based on your (remembered) user id. <p/> BUT, if you try to do something sensitive, such as access your account's billing data, Amazon forces you to do an actual log-in, requiring your username and password. <p/> This is because although amazon.com assumed your identity from 'remember me', it recognized that you were not actually authenticated. The only way to really guarantee you are who you say you are, and therefore allow you access to sensitive account data, is to force you to perform an actual successful authentication. You can check this guarantee via the {@link #isAuthenticated() isAuthenticated()} method and not via this method.
@return {@code true} if this {@code Subject}'s identity (aka {@link #getPrincipals() principals}) is remembered from a successful authentication during a previous session, {@code false} otherwise.
Returns {@code true} if this {@code Subject} has an identity (it is not anonymous) and the identity (aka {@link #getPrincipals() principals}) is remembered from a successful authentication during a previous session. <p/> Although the underlying implementation determines exactly how this method functions, most implementations have this method act as the logical equivalent to this code: <pre> {@link #getPrincipal() getPrincipal()} !is null && !{@link #isAuthenticated() isAuthenticated()}</pre> <p/> Note as indicated by the above code example, if a {@code Subject} is remembered, they are <em>NOT</em> considered authenticated. A check against {@link #isAuthenticated() isAuthenticated()} is a more strict check than that reflected by this method. For example, a check to see if a subject can access financial information should almost always depend on {@link #isAuthenticated() isAuthenticated()} to <em>guarantee</em> a verified identity, and not this method. <p/> Once the subject is authenticated, they are no longer considered only remembered because their identity would have been verified during the current session. <h4>Remembered vs Authenticated</h4> Authentication is the process of <em>proving</em> you are who you say you are. When a user is only remembered, the remembered identity gives the system an idea who that user probably is, but in reality, has no way of absolutely <em>guaranteeing</em> if the remembered {@code Subject} represents the user currently using the application. <p/> So although many parts of the application can still perform user-specific logic based on the remembered {@link #getPrincipals() principals}, such as customized views, it should never perform highly-sensitive operations until the user has legitimately verified their identity by executing a successful authentication attempt. <p/> We see this paradigm all over the web, and we will use <a href="http://www.amazon.com">Amazon.com</a> as an