Spring RememberMe processAutoLoginCookie

Question

I'm using Spring Security 3.0.0 and persistent RememberMe. When the server restarts and a browser window is still open, we need to be able to continue using the application without having to login - if remember me is selected.

I'm getting a org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack, when I try to continue to use the application after a server restart. What I notice is that the processAutoLoginCookie method gets called twice. I'm not sure why. The behavior of the method itself seems to be correct, ie , update the token in the database and update the cookie in the client.

Any help on this would be appreciated.

Thank you.

Answer 1

I was getting the exact same issue! The processAutoLoginCookie was getting called twice in succession so that the first call was successful, but the second call fails because the cookie is updated by the first call.

My only solution was to subclass PersistentTokenBasedRememberMeServices and override the processAutoLoginCookie method. I had to copy the existing code for processAutoLoginCookie and comment out the throwing of the CookieTheftException.

Note: My solution will open up a security hole!

If you are happy to allow for Cookie Thefts to occur (my system is used internally and does not contain sensitive data) then this solution will work.

Alternatively, you could also subclass PersistentTokenBasedRememberMeServices and add a more robust solution that still checks for Cookie Theft Exceptions but allows the two successive calls to processAutoLoginCookie to be made.