I'm using Spring Security 3.0.0 and persistent RememberMe. When the server restarts and a browser window is still open, we need to be able to continue using the application without having to login - if remember me is selected.
I'm getting a org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack, when I try to continue to use the application after a server restart. What I notice is that the processAutoLoginCookie method gets called twice. I'm not sure why. The behavior of the method itself seems to be correct, ie , update the token in the database and update the cookie in the client.
Any help on this would be appreciated.
Thank you.
I was getting the exact same issue! The processAutoLoginCookie was getting called twice in succession so that the first call was successful, but the second call fails because the cookie is updated by the first call.
My only solution was to subclass
PersistentTokenBasedRememberMeServices
and override theprocessAutoLoginCookie
method. I had to copy the existing code for processAutoLoginCookie and comment out the throwing of theCookieTheftException
.Note: My solution will open up a security hole!
If you are happy to allow for Cookie Thefts to occur (my system is used internally and does not contain sensitive data) then this solution will work.
Alternatively, you could also subclass
PersistentTokenBasedRememberMeServices
and add a more robust solution that still checks for Cookie Theft Exceptions but allows the two successive calls toprocessAutoLoginCookie
to be made.