Spring Security RememberMe Services with Session Cookie

后端 未结 2 1294
闹比i
闹比i 2021-02-06 10:41

I am using Spring Security\'s RememberMe Services to keep a user authenticated.

I would like to find a simple way to have the RememberMe cookie set as a session cookie

相关标签:
2条回答
  • 2021-02-06 11:17

    Spring Security 3 does not offer configuration of how the cookie is generated. You have to override the default behaviour:

    import javax.servlet.http.Cookie;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices;
    
    /** Cookie expires on session. */
     public class PersistentTokenBasedRememberMeServicesCustom extends
       PersistentTokenBasedRememberMeServices {
    
      /** only needed because super throws exception. */
      public PersistentTokenBasedRememberMeServicesCustom() throws Exception {
        super();
      }
    
      /** Copy of code of inherited class + setting cookieExpiration, */
      @Override
      protected void setCookie(String[] tokens, int maxAge,
          HttpServletRequest request, HttpServletResponse response) {
        String cookieValue = encodeCookie(tokens);
        Cookie cookie = new Cookie(getCookieName(), cookieValue);
        //cookie.setMaxAge(maxAge); 
        cookie.setPath("/");
        cookie.setSecure(false); // no getter available in super, so always false
    
        response.addCookie(cookie);
      }
    }
    

    Make sure, you use this customized PersistentTokenBasedRememberMeServices for you're rememberMeService by adding the class name to it's bean configuration:

    <beans:bean id="rememberMeServices"
     class="my.custom.spring.PersistentTokenBasedRememberMeServicesCustom"/>
    
    0 讨论(0)
  • 2021-02-06 11:24

    To have session work properly with load balancing I would have your session data stored in a sql database.

    The cookie should always be a random value that expire. There are cases where you can store state as a cookie value and it not be a secuirty hazard, such as the users preferred language, but this should be avoided as much as possible. Turning HttpOnlyCookies on, is a great idea.

    Read A3: "Broken Authentication and Session Management" in the OWASP top 10 for 2010. One important point in this section is that https must be used for the entire session. If the session is lasting for a very long time, then this is even more important.

    Also keep in mind that "Remember Me" creates a large window in which an attacker can "ride" on the session. This gives an attacker a very long time (Months?) in which he can deliver a CSRF attack. Even if you have CSRF protection an attacker can still ride on a session with XSS and XmlHttpRequest (HttpOnlyCookies will prevent a full hijack). "Remember Me" makes other threats like xss, csrf, sniffing more serious. As long as these vulnerabilities have been addressed, then you shouldn't have a problem with real world hackers.

    The easiest (and secure) approach to implement a "remember me" feature would be to modify the session timeout to make it very large (a few months). If the "remember me" checkbox is unchecked then store a session variable with a new timeout (1 day from login). Keep in mind that even if the cookie is deleted by the browser when it is closed the session still is active on the server side. If the session id stolen, then it can still be used.

    0 讨论(0)
提交回复
热议问题