Announcement Announcement Module
Collapse
No announcement yet.
CookieTheftException: Invalid remember-me token (Series/token) mismatch. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • CookieTheftException: Invalid remember-me token (Series/token) mismatch.

    I have been researching this issue, but I haven't found anything that works or even explains what is happening.

    User can login with "remember-me" option set, and a "remember-me" cookie is given that has an expires of April 18th (well in the future). User closes browser, reopens browser, and comes back to the site. When attempting to access the restricted pages, sometimes there is no immediate issue (cookie is recognized and user is signed in correctly) and other times the exception is thrown right away.

    Attached bad.txt, which is a DEBUG-level log of when the user attempts to access a restricted page after opening the browser up again. It shows that the first request went thru fine, but the second one did not.

    It's been a very long day, so am I missing something? Any help whatsoever would be greatly appreciated! Here is my security configuration, if I need to post anything else I will be happy to!

    Code:
    <beans:beans
    	xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    						http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    
    						http://www.springframework.org/schema/security
    						http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    	<http use-expressions="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
    		<intercept-url pattern="/account/secured" access="isAuthenticated()" />
    		<intercept-url pattern="/account/new" access="permitAll" />
    		<intercept-url pattern="/account/login" access="permitAll" />
    		<intercept-url pattern="/account/**" access="isAuthenticated()" />
    		<intercept-url pattern="/**" access="permitAll" />
    
    		<custom-filter position="FORM_LOGIN_FILTER" ref="formAuthenticationFilter" />
    		<custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeAuthenticationFilter" />
    		<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
    	</http>
    
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider ref="authenticationProvider" />
    		<authentication-provider ref="rememberMeAuthenticationProvider" />
    	</authentication-manager>
    
     	<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    		<beans:property name="passwordEncoder">
    			<beans:bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
    		</beans:property>
    		<beans:property name="userDetailsService" ref="customerDao" />
    	</beans:bean>
    
    	<beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    		<beans:property name="loginFormUrl" value="/account/login" />
    	</beans:bean>
    
    	<beans:bean id="formAuthenticationFilter" class="com.foobar.website.security.FormAuthenticationFilter">
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    		<beans:property name="authenticationFailureHandler" ref="failureHandler" />
    		<beans:property name="authenticationSuccessHandler" ref="successHandler" />
    		<beans:property name="usernameParameter" value="email" />
    		<beans:property name="passwordParameter" value="password" />
    		<beans:property name="filterProcessesUrl" value="/account/login" />
    		<beans:property name="postOnly" value="true" />
    		<beans:property name="rememberMeServices" ref="rememberMeServices" />
    	</beans:bean>
    
    	<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    		<beans:property name="defaultTargetUrl" value="/account/login" />
    	</beans:bean>
    
    	<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    		<beans:property name="defaultFailureUrl" value="/account/login?login_error=true" />
    	</beans:bean>
    
    	<beans:bean id="rememberMeServices" class="com.foobar.website.security.RememberMeServices">
    		<beans:property name="tokenRepository" ref="jdbcTokenRepository" />
    		<beans:property name="userDetailsService" ref="customerDao" />
    		<beans:property name="key" value="myRememberMeKey" />
    		<beans:property name="alwaysRemember" value="false" />
    		<beans:property name="parameter" value="remember" />
    		<beans:property name="cookieName" value="remember" />
    	</beans:bean>
    
    	<beans:bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
    		<beans:property name="createTableOnStartup" value="false" />
    		<beans:property name="dataSource" ref="mysqlDataSource" />
    	</beans:bean>
    
    	<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    		<beans:property name="key" value="myRememberMeKey" />
    	</beans:bean>
    
    	<beans:bean id="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    		<beans:property name="rememberMeServices" ref="rememberMeServices" />
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    	</beans:bean>
    
    	<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    		<beans:constructor-arg index="0" value="/account/login" />
    		<beans:constructor-arg index="1">
    			<beans:list>
    				<beans:ref bean="rememberMeServices" />
    				<beans:bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    			</beans:list>
    		</beans:constructor-arg>
    		<beans:property name="filterProcessesUrl" value="/account/logout" />
    	</beans:bean>
    
    </beans:beans>
Working...
X