Shiro: how does remember me work?

Question

I've got few questions about Shiro's remember me feature:

1. Why does Shiro generate different "remember me" token values for the same account on each login?
2. Would a hacker be able to generate a "remember me" token for any account if I use the default CipherKey?
3. How can I control the "remember me" duration? By Cookie age? So if the client cookie never expires then that "remember me" cookie will work forever?

Answer 1

Shiro's default "remember me" functionality is quite problematic, for exactly the reasons you have picked up here. This is an excellent question. I have found the same issues when I started digging into their implementation.

1. Because a random IV is used each time

   The "remember me" cookie contains only the "Principals", i.e. your username, encrypted with AES (by default). Each time you log in, the exact same information will be encrypted with the exact same key. Shiro does use a random IV by default -- see JcaCipherService, so the encrypted binary blob will appear random on each login.

2. YES!

   If a hacker knows the username of any account on your website, and if you are using Shiro with its default settings, then it will be easy for them to generate a valid "remember me" token and log into your website.

   Hopefully you have marked all sensitive actions with "@RequiresAuthentication", and don't allow only-remembered users to see anything sensitive, although this would be an easy mistake to make if you did not.

   For this reason, I think it is a big security bug for Shiro to use a default key here. I think Shiro should use a random key by default, or require you to specify a new key if you want to use "remember me". See e.g. https://github.com/pledbrook/grails-shiro/issues/28

3. YOU MUST TRUST THE CLIENT!

   The "remember me" cookie is set with a "max age" which is 1 year by default -- see CookieRememberMeManager.

   However, Shiro does not include any date information in the encrypted cookie data, so it cannot verify that the client has honoured this time limit.

   I think this is a security bug, and Shiro ought to include the date of generation in the encrypted data, and verify this server-side.

Open Shiro bugs

The following Shiro bugs now track these issues:

• https://issues.apache.org/jira/browse/SHIRO-441 Explain how "Remember Me" works under the hood and that you might want to use a custom cipher key
• https://issues.apache.org/jira/browse/SHIRO-561 "Remember me" cookie age is not verified server-side

Answer 2

1. Cannot clarify much about this question.
2. See this BalusC blog post. It has mention about hackers and default cipher key.

3. By default max age of rememberMe cookie is one year. Accordingly to Shiro documentation you can control max age of that cookie with rememberMeManager:

   securityManager.rememberMeManager.cookie.maxAge = [max_age_in_seconds];