This question already has an answer here:
- Spring Security Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack 3 answers
My SecurityConfig
class where I configure remember-me feature backed by userService
and persistenceTokenRepository()
:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(
"/js/**",
"/css/**",
"/img/**",
"/webjars/**").permitAll()
.anyRequest().authenticated()
// ... and login, and logout
.and()
.rememberMe()
.userDetailsService(userService)
.tokenRepository(persistentTokenRepository());
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl tokenRepository = new JdbcTokenRepositoryImpl();
tokenRepository.setDataSource(dataSource);
return tokenRepository;
}
Use case:
- A user opens Login page in his browser, authorizes himself with enabled "Remember Me" option.
- [Back-end] New remember-me token is generated, persisted in DB and sent to the user. Default expiration is 2 weeks.
- The user is redirected to Homepage.
- The user closes the browser to end the browsing session.
- The user starts the browser again and goes to the Home page again.
Expected result: [Back-end] No exceptions, the token in DB is matched with the remember-me cookie. [Front-end] The user is successfully authenticated and can proceed to homepage.
Actual result: [Back-end] CookieTheftException
is thrown. The token is deleted from DB. [Front-end] User is redirected to Login page.
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:119) ~[spring-security-web-5.0.9.RELEASE.jar:5.0.9.RELEASE]