Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1827

Remember me use-secure-cookie set to false does not actually prevent the cookie being flagged as secure


    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.RC3
    • Fix Version/s: 3.1.0
    • Component/s: Web
    • Labels:


      In the namespace configuration for Remember me there is the "use-secure-cookie" that should allow the user to choose wether to flag the cookie as secure or not.

      Actually, I think there are 3 scenarios. Flag as secure, Dont flag as secure, and (default behaviour) let the container decide based on the original request.

      But the code of RememberMeAuthenticationFilter and AbstractRememberMeServices do not allow the second scenario.

      RememberMeAuthenticationFilter line 348 (3.1 RC3):

      if (useSecureCookie == null)

      { cookie.setSecure(request.isSecure()); }


      { cookie.setSecure(useSecureCookie); }

      I read this code as "the default behaviour is to flag the cookie based on the original request, otherwise do what the user told us". Unfortunately, useSecureCookie property is never "false" (even if the user set false in the namespace config) because of this code in RememberMeBeanDefinitionParser, line 101:

      if ("true".equals(element.getAttribute(ATT_SECURE_COOKIE)))

      { services.getPropertyValues().addPropertyValue("useSecureCookie", true); }

      Letting the user choose the flag can prevent the recurring problem of "login page in https, everything else in http" because the remember me cookie will be sent.


        There are no comments yet on this issue.


          • Assignee:
            rwinch Rob Winch
            namero999 Corrado Alesso
          • Votes:
            0 Vote for this issue
            0 Start watching this issue


            • Created: