Announcement Announcement Module
Collapse
No announcement yet.
why having CookieTheftException? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    No, your configuration looks fine, as far as I can tell. Please enable DEBUG logging and post the logs. Can you confirm that you have only one Spring Sec application deployed to this app server?

    Comment


    • #17
      the tomcat app server is containing more than on application that uses it's own spring security
      i tried testing the application on a separate tomcat app server that contains only my application and it works fine,so what's your opinion of what was causing this exception?

      Comment


      • #18
        Originally posted by pmularien View Post
        You may be hitting SEC-1356, fixed in Spr Sec 3.0.2. Try upgrading and see what happens.
        Did you look at this bug? Did you upgrade ALL applications on this server to Spr Sec 3.0.2?

        Comment


        • #19
          ok i will test updating all the apps
          and this is the debug info when the exception occurs:

          Code:
          DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 1 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@560be823'
          DEBUG http-8082-2 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
          DEBUG http-8082-2 org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
          DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 2 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@34a45fc1'
          DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@138a92e7'
          DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@6eb285b6'
          DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 5 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@a68a881'
          DEBUG http-8082-2 org.springframework.security.web.FilterChainProxy - /p/message?mId=1 at position 6 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter@7f0cd67f'
          DEBUG http-8082-2 org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Remember-me cookie detected
          DEBUG http-8082-2 org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Cancelling cookie
          DEBUG http-8082-2 org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession is null, but SecurityContext has not changed from default empty context: ' [email protected]fffff: Null authentication'; not creating HttpSession or storing SecurityContext
          DEBUG http-8082-2 org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
          iam using a custom filter its position is last and it check for some data in the session if it's exist? is that might cause the problem?
          or it's something else?

          Comment


          • #20
            so any help with the debug?
            why the cookie is cancelled after it's detected?

            Comment


            • #21
              Are these two web applications deployed to the same application server, or different application servers on your local host? If they are different, are they deployed to the same context? (e.g. http://localhost:8080/appone and http://localhost:8082/apptwo)

              If they are on the same host, deployed to different app servers with the same context name, on the same host this behavior (cookie theft) would be expected, because the cookie would be re-sent to every application matching the host and path on the cookie.

              Give us more details on how you are deploying the applications you are testing, and specifically what URLs you are using to access them.

              Comment


              • #22
                i find out that the problem is not from the app server
                the problem was because of in the email notifications i send some images from my server
                and the images was filtered
                so the cookie is sent and then accepted for the image,then the image is displayed
                and after that if i try to access a link to any page from this emial
                the cookie is sent and then cancelled,why is that?
                so i set the filters for the images to none
                and when trying to access any link from the email,the cookie is sent and accepted,no problem

                and i have another question,is where the cookie is stored on the client machine,and when it's expired?

                Comment


                • #23
                  Wikipedia has a good article on HTTP cookies. Expiration is handled by the "token-validity-seconds" attribute that you are already using. Glad you figured it out.

                  Comment

                  Working...
                  X