Spring Security
  1. Spring Security
  2. SEC-1217

AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Core
    • Labels:
      None

      Description

      As per the aforementioned thread:

      "If you use HTTPS exclusively, then it is a good idea to set the "secure" flag on the cookie. You can do this by overriding the setCookie method on the AbstractRememberMeServices implementation you are using."

      This is as simple as adding a single line to AbstractRememberMeServices.setCookie():

      cookie.setSecure( request.isSecure() );

      With this snippet, when the request is made from a secure context, the cooke will be sent with a 'secure' attribute set. This could be made optional with a configuration flag; I just think its messy to require clients to override this class for such simple functionality.

        Activity

        Hide
        Luke Taylor added a comment -

        This is something I've been meaning to implement for a while and is a good idea. However, it's not as simple as adding that snippet of code as that assumes that the cookie will always be used over a secure connection (which may not be what's desired). A configuration flag "useSecureCookie" would probably be a better approach. If the flag is set, then the cookies will always have the secure flag set on them. More complicated behaviour can still be obtained by extending the class. In most cases where sites are ultra-concerned about security, remember-me functionality shouldn't really be used to start with.

        Show
        Luke Taylor added a comment - This is something I've been meaning to implement for a while and is a good idea. However, it's not as simple as adding that snippet of code as that assumes that the cookie will always be used over a secure connection (which may not be what's desired). A configuration flag "useSecureCookie" would probably be a better approach. If the flag is set, then the cookies will always have the secure flag set on them. More complicated behaviour can still be obtained by extending the class. In most cases where sites are ultra-concerned about security, remember-me functionality shouldn't really be used to start with.
        Hide
        Luke Taylor added a comment -

        I've added a useSecureCookie flag to the class and a corresponding use-secure-cookie attribute to the remember-me namespace element.

        Show
        Luke Taylor added a comment - I've added a useSecureCookie flag to the class and a corresponding use-secure-cookie attribute to the remember-me namespace element.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Jared Stehler
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: