Spring Security
  1. Spring Security
  2. SEC-1827

Remember me use-secure-cookie set to false does not actually prevent the cookie being flagged as secure

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0.RC3
    • Fix Version/s: 3.1.0
    • Component/s: Web
    • Labels:
      None

      Description

      In the namespace configuration for Remember me there is the "use-secure-cookie" that should allow the user to choose wether to flag the cookie as secure or not.

      Actually, I think there are 3 scenarios. Flag as secure, Dont flag as secure, and (default behaviour) let the container decide based on the original request.

      But the code of RememberMeAuthenticationFilter and AbstractRememberMeServices do not allow the second scenario.

      RememberMeAuthenticationFilter line 348 (3.1 RC3):

      if (useSecureCookie == null)

      { cookie.setSecure(request.isSecure()); }

      else

      { cookie.setSecure(useSecureCookie); }

      I read this code as "the default behaviour is to flag the cookie based on the original request, otherwise do what the user told us". Unfortunately, useSecureCookie property is never "false" (even if the user set false in the namespace config) because of this code in RememberMeBeanDefinitionParser, line 101:

      if ("true".equals(element.getAttribute(ATT_SECURE_COOKIE)))

      { services.getPropertyValues().addPropertyValue("useSecureCookie", true); }

      Letting the user choose the flag can prevent the recurring problem of "login page in https, everything else in http" because the remember me cookie will be sent.

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Corrado Alesso
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: