Announcement Announcement Module
Collapse
No announcement yet.
why having CookieTheftException? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • why having CookieTheftException?

    hello there
    iam using remember me service with data source reference
    it works fine for a very little time,but when i close the browser and try to come back after a period of time,i got this exception why?
    Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack

  • #2
    What version of Spring Security, and where (and how) are your remember me tokens stored?

    Comment


    • #3
      iam using spring 3
      and iam using remember me with Persistent Token Approach
      as follows:

      Code:
      <http>
      <remember-me  token-repository-ref="tokenRepository"
               token-validity-seconds="1209600"/>
      </http>
      
      <beans:bean id="tokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
          <beans:property name="dataSource" ref="dataSource"/>
          </beans:bean>
      and i created the persistent_logins table in the database as follows:

      Code:
      create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null)

      Comment


      • #4
        What specific version of Spring Security, please? The early point releases had some issues with remember me, specifically 3.0.1.

        Comment


        • #5
          version 3.0.0

          Comment


          • #6
            You may be hitting SEC-1356, fixed in Spr Sec 3.0.2. Try upgrading and see what happens.

            Comment


            • #7
              so i should upgrade to the last version and use the same code or it differs?

              Comment


              • #8
                Same code.

                Comment


                • #9
                  i upgraded to the last version(in the pom.xml file)
                  but the problem still exists:

                  Code:
                  <properties>
                  		<spring.version>3.0.0.RELEASE</spring.version>
                  		<spring-security.version>3.0.2.RELEASE</spring-security.version>
                  		<tiles.version>2.1.3</tiles.version>
                  	</properties>
                  
                                 <dependency>
                  			<groupId>org.springframework.security</groupId>
                  			<artifactId>spring-security-core</artifactId>
                  			<version>${spring-security.version}</version>
                  		</dependency>
                  		<dependency>
                  			<groupId>org.springframework.security</groupId>
                  			<artifactId>spring-security-web</artifactId>
                  			<version>${spring-security.version}</version>
                  		</dependency>
                  		<dependency>
                  			<groupId>org.springframework.security</groupId>
                  			<artifactId>spring-security-config</artifactId>
                  			<version>${spring-security.version}</version>
                  		</dependency>
                  		<dependency>
                  			<groupId>org.springframework.security</groupId>
                  			<artifactId>spring-security-taglibs</artifactId>
                  			<version>${spring-security.version}</version>
                  		</dependency>
                  is there's something should also be changed here in the security.xml file:

                  Code:
                  <beans:beans xmlns="http://www.springframework.org/schema/security"  
                  	xmlns:beans="http://www.springframework.org/schema/beans" 
                  	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  	xsi:schemaLocation="http://www.springframework.org/schema/beans 
                  	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                          http://www.springframework.org/schema/security 
                                          http://www.springframework.org/schema/security/spring-security-3.0.xsd">

                  Comment


                  • #10
                    Please enable logging and post with the log files when the cookie theft exception is being reported.

                    Comment


                    • #11
                      i forgot to mention the special case when this exception occurs:
                      the server send automated emails via localhost(postfix)
                      when a remembered user is trying to access any link from the email after a period of time
                      the exception occurs

                      Comment


                      • #12
                        there's something iam missing too
                        is how is the cookie is saved in the user's pc when using the persistent token approach?
                        i noticed that the cookie is inserted automatically in the persistent_logins table when the user hits remember me,but what about the user's pc?

                        Comment


                        • #13
                          the documentation says:
                          Note that both implemementations(Simple Hash-Based Token Approach,Persistent Token Approach) require a UserDetailsService and iam using a jdbc-user-service is that might cause the problem?

                          Code:
                          <authentication-manager alias="authenticationManager">	
                          	<authentication-provider>
                          			<password-encoder hash="md5"/> 
                          			 <jdbc-user-service data-source-ref="dataSource"/>
                          
                          		</authentication-provider>
                          	</authentication-manager>

                          Comment


                          • #14
                            Please attach logs as requested

                            Comment


                            • #15
                              the log shows only the exception:

                              Code:
                              org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
                              	org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:90)
                              	org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:87)
                              	org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:77)
                              	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
                              	org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
                              	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
                              	org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
                              	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
                              	org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
                              	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
                              	org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
                              	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
                              	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
                              	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
                              	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
                              	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
                              	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
                              but you didn't tell me,isn't using jdbc user service is the userDetailsSerivce the tutorial recommended(both implemementations require a UserDetailsService) ?
                              and should i include any other attributes in the remember me element?

                              Comment

                              Working...
                              X