Spring Security
  1. Spring Security
  2. SEC-1356

AbstractRememberMeServices#extractRememberMeCookie may use cookie from different context

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.2
    • Component/s: Core
    • Labels:
      None

      Description

      AbstractRememberMeServices#extractRememberMeCookie verifies cookie only by its name but #cancelCookie or #setCookie use path as well. It leads to the problem when more than one application, deployed under different contexts, are hosted on the same machine. While cookie from app is used to login into (/service), when user logout from /service cookie does not vanish (#cancelCookie sets path).

        Activity

        Hide
        Luke Taylor added a comment -

        I've modified extractRememberMeCookie to check the path of the incoming cookie against the context path of the request, which should prevent cookies from being mixed up. If someone wants to share them, they should override the setting and extraction methods to use a less-specific path.

        Show
        Luke Taylor added a comment - I've modified extractRememberMeCookie to check the path of the incoming cookie against the context path of the request, which should prevent cookies from being mixed up. If someone wants to share them, they should override the setting and extraction methods to use a less-specific path.
        Hide
        Luke Taylor added a comment -

        This change doesn't make sense, as the browser won't submit the path with the cookie. It only uses the path to decided whether to submit the cookie with a request.

        Show
        Luke Taylor added a comment - This change doesn't make sense, as the browser won't submit the path with the cookie. It only uses the path to decided whether to submit the cookie with a request.
        Hide
        Luke Taylor added a comment -

        I've reverted the changes for this issue. I think it will be a "won't fix". You will probably have to use different cookie names for different applications, or deploy them under separate distinct paths which don't match.

        Show
        Luke Taylor added a comment - I've reverted the changes for this issue. I think it will be a "won't fix". You will probably have to use different cookie names for different applications, or deploy them under separate distinct paths which don't match.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Zbigniew Ruchała
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: