CookieTheftException: Invalid remember-me token (Series/token) mismatch.
I have been researching this issue, but I haven't found anything that works or even explains what is happening.
User can login with "remember-me" option set, and a "remember-me" cookie is given that has an expires of April 18th (well in the future). User closes browser, reopens browser, and comes back to the site. When attempting to access the restricted pages, sometimes there is no immediate issue (cookie is recognized and user is signed in correctly) and other times the exception is thrown right away.
Attached bad.txt, which is a DEBUG-level log of when the user attempts to access a restricted page after opening the browser up again. It shows that the first request went thru fine, but the second one did not.
It's been a very long day, so am I missing something? Any help whatsoever would be greatly appreciated! Here is my security configuration, if I need to post anything else I will be happy to!
Code:<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http use-expressions="true" auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint"> <intercept-url pattern="/account/secured" access="isAuthenticated()" /> <intercept-url pattern="/account/new" access="permitAll" /> <intercept-url pattern="/account/login" access="permitAll" /> <intercept-url pattern="/account/**" access="isAuthenticated()" /> <intercept-url pattern="/**" access="permitAll" /> <custom-filter position="FORM_LOGIN_FILTER" ref="formAuthenticationFilter" /> <custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeAuthenticationFilter" /> <custom-filter position="LOGOUT_FILTER" ref="logoutFilter" /> </http> <authentication-manager alias="authenticationManager"> <authentication-provider ref="authenticationProvider" /> <authentication-provider ref="rememberMeAuthenticationProvider" /> </authentication-manager> <beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="passwordEncoder"> <beans:bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" /> </beans:property> <beans:property name="userDetailsService" ref="customerDao" /> </beans:bean> <beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:property name="loginFormUrl" value="/account/login" /> </beans:bean> <beans:bean id="formAuthenticationFilter" class="com.foobar.website.security.FormAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="authenticationFailureHandler" ref="failureHandler" /> <beans:property name="authenticationSuccessHandler" ref="successHandler" /> <beans:property name="usernameParameter" value="email" /> <beans:property name="passwordParameter" value="password" /> <beans:property name="filterProcessesUrl" value="/account/login" /> <beans:property name="postOnly" value="true" /> <beans:property name="rememberMeServices" ref="rememberMeServices" /> </beans:bean> <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> <beans:property name="defaultTargetUrl" value="/account/login" /> </beans:bean> <beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/account/login?login_error=true" /> </beans:bean> <beans:bean id="rememberMeServices" class="com.foobar.website.security.RememberMeServices"> <beans:property name="tokenRepository" ref="jdbcTokenRepository" /> <beans:property name="userDetailsService" ref="customerDao" /> <beans:property name="key" value="myRememberMeKey" /> <beans:property name="alwaysRemember" value="false" /> <beans:property name="parameter" value="remember" /> <beans:property name="cookieName" value="remember" /> </beans:bean> <beans:bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> <beans:property name="createTableOnStartup" value="false" /> <beans:property name="dataSource" ref="mysqlDataSource" /> </beans:bean> <beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> <beans:property name="key" value="myRememberMeKey" /> </beans:bean> <beans:bean id="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> <beans:property name="rememberMeServices" ref="rememberMeServices" /> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <beans:constructor-arg index="0" value="/account/login" /> <beans:constructor-arg index="1"> <beans:list> <beans:ref bean="rememberMeServices" /> <beans:bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> </beans:list> </beans:constructor-arg> <beans:property name="filterProcessesUrl" value="/account/logout" /> </beans:bean> </beans:beans>
Reply With Quote