Announcement Announcement Module
Collapse
No announcement yet.
tokenValiditySeconds property on TokenBasedRemembermeServices does nothing Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • tokenValiditySeconds property on TokenBasedRemembermeServices does nothing

    I've got everything working for remember me except for the cookie expiration. I've tried all kinds of values to use for tokenValiditySeconds and no matter what value I give the cookie expiration is: Wed, Jun 1, 2011 11:42:51 AM. Other than rewriting TokenBasedRememberMeServices to generate a better cookie, I'm out of ideas.

    The interesting thing is that even if I don't set tokenValiditySeconds and rely on the default, the expiration on all the rememberme cookies is Wed, Jun 1, 2011 11:42:51 AM!

    I'm using tokenValiditySeconds like so:

    <bean id="rememberMeProcessingFilter"
    class="org.acegisecurity.ui.rememberme.RememberMeP rocessingFilter">
    <property name="rememberMeServices"><ref local="rememberMeServices"/></property>
    <property name="authenticationManager"><ref local="authenticationManager"/></property>
    </bean>

    <bean id="rememberMeServices"
    class="org.acegisecurity.ui.rememberme.TokenBasedR ememberMeServices">
    <property name="userDetailsService"><ref local="authenticationDao"/></property>
    <property name="tokenValiditySeconds"><value>864000</value></property>
    <property name="key"><value>springRocks</value></property>
    <property name="parameter"><value>_acegi_security_remember_m e</value></property>
    </bean>

    <bean id="rememberMeAuthenticationProvider"
    class="org.acegisecurity.providers.rememberme.Reme mberMeAuthenticationProvider">
    <property name="key"><value>springRocks</value></property>
    </bean>

  • #2
    Looks like I found a bug with TokenBasedRememberMeServices

    I decompiled the TokenBasedRememberMeServices.class file in the acegi jar file and I think I've found a bug.

    Here's the method for creating a cookie:

    protected Cookie makeValidCookie(long expiryTime, String tokenValueBase64)
    {
    Cookie cookie = new Cookie("ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE", tokenValueBase64);
    cookie.setMaxAge(157680000);
    return cookie;
    }

    The expiryTime appears to be hard-coded at 5 years which is why no matter what value I set for tokenValiditySeconds the cookie expiration is 5 years!

    I guess I'll extend TokenBasedRememberMeServices and override the makeValidCookie method without the hardcoding.

    Comment


    • #3
      tokenValiditySeconds is the cookie validity from the server's perspective, so it determines how long the token will be a valid substitute for logging in, not when it will be deleted by the browser.

      There's probably no good reason why the cookie's max age shouldn't be linked to this property though, so I've opened as issue for it:

      http://opensource.atlassian.com/proj...browse/SEC-298

      Comment


      • #4
        And you don't need to decompile the classes - you can download a nightly build archive of the source or browse it on the build site here:

        http://acegisecurity.org/multiprojec...ref/index.html

        complete with comments .

        Comment

        Working...
        X