Description
Jean-Pierre Bergamin (Migrated from SEC-2856) said:
After enabling remember-me authentication for our SSO portal, people were complaining about errors they got while logging in. Those errors turned out to be CookieTheftExceptions.
After investigating quite intensively how these exceptions occured, we found that there are so many regular usecases how this can happen that this feature can be considered as really broken.
h5. Usecase 1
- Open two windows in your browser and login to the remember-me enabled web app in both windows
- Close the browser
- Open the browser (with the setting to re-open all previous windows)
- Both windows get re-opened and both send almost simultaneously a request with the same remember-me cookie to the web app
- The first request succeeds, where the second one fails (because the first already consumes the cookie) and the user is logged out
h5. Usecase 2
- Log in to the remember-me enabled web-app
- Close the browser
- Open the browser and visit the web-app again, which triggers a remember-me authentication
- The remember-me authentication takes a while (e.g. because the AD-Server responds very slowly) and the user closes the tab
- The user visits the web-app again after a while and gets a CookieTheftException and is logged out
The problem here is that the browser never got the response with the updated cookie back because the user closed the tab before.
h5. Usecase 3
- Open your remember-me enabled web-app in Chrome
- Close the browser
- Start entering the URL of your web-app in Chrome's address bar and hit enter
- You get a CookieTheftException and are logged out
What happens here is that Chrome already sends a request in the background while entering the URL. When hitting enter before the background request returned with a new cookie in its response, a second request with the same cookie is sent again - which leads to a CookieTheftException.
h5. Usecase 4
- The remember-me enabled web-app is an SSO (single sign-on) application where people authenticate for different other web-apps
- Open different web-apps which use the SSO in different tabs
- Close the browser
- Open the browser again (with the setting to re-load all previous tabs)
- The different web-apps in the different tabs need to re-login with the SSO app and immediately redirect to it after loading
- You get a CookieTheftException and are logged out
The problem here is that all webapps redirect to the SSO app and query it almost simultaneously which leads to the CookieTheftException.
As you can see, this CookieTheftException detection makes more harm than it tries to resolve. The PersistentTokenBasedRememberMeServices should have a way to disable the cookie theft detection on demand.
Currently we "disable" the cookie theft detection by always returning a constant token data like:
public class CustomPersistentTokenBasedRememberMeServices extends PersistentTokenBasedRememberMeServices {
public CustomPersistentTokenBasedRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenRepository tokenRepository) {
super(key, userDetailsService, tokenRepository);
}
@Override
protected String generateTokenData() {
// Return a constant value for the token value to avoid CookieTheftExceptions.
return "U1WUsKXNkM0Jzpozau/BeQ==";
}
}
The PersistentTokenBasedRememberMeServices class should be configurable to have cookie theft detection turned on or off.