org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102)
at org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115)
What I notice is that the processAutoLoginCookie method gets called twice. The behavior of the method itself seems to be correct, for example , update the token in the database and update the cookie in the client.
Any help on this would be appreciated.
While waiting for somebody to post an answer to this question, I thought of a better solution to this issue. By default, the PersistentTokenBasedRememberMeServices.processAutoLoginCookie() updates the token for every request. My solution to this is to override the behaviour of processAutoLoginCookie() and removed the updating of the cookie part. This solves the cookietheft exception but this will open a security hole to the attacker since the cookie doesn't updates for every request. If the attacker able to steal the cookie, he can use that cookie to access the protected site. To prevent that to happen, I'm thinking of adding an IP address as part of to the cookie and validate every request if the cookie comes from the owner of the session. I haven't implemented the IP validation but for me this is the better way to solve this problem.
I hope this also helps to some of you having the same issue I have.
modify your web.xml, in error-page sections, add location (e.g. /signin) for org.springframework.security.web.authentication.rememberme.CookieTheftException
来源:https://stackoverflow.com/questions/13393774/invalid-remember-me-token-series-token-mismatch-implies-previous-cookie-theft