Sunday, May 22, 2011

Spring Invalid remember-me token cookie theft attack

There are errors that simply sound too scary. From time to time Tomcat was returning the below error message:
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.

To recreate this issue you can use Firefox "Live Http Headers" plugin to capture sessionId and remember me token cookies once the user is logged in. Then restart Firefox and use "Modify Headers" plugin to force the previous cookie values.

To resolve this issue you can forward the request to the login page passing an error code. Order in web.xml is important, here is a working example:
<error-page>
        <exception-type>org.springframework.security.web.authentication.rememberme.CookieTheftException</exception-type>
        <location>/WEB-INF/jsp/login.jsp?error=sessionExpired</location>
    </error-page>
    <error-page>
        <exception-type>java.lang.Exception</exception-type>
        <location>/WEB-INF/jsp/uncaughtException.jsp</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/WEB-INF/jsp/uncaughtException.jsp</location>
    </error-page>

No comments:

Followers