org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
To recreate this issue you can use Firefox "Live Http Headers" plugin to capture sessionId and remember me token cookies once the user is logged in. Then restart Firefox and use "Modify Headers" plugin to force the previous cookie values.
To resolve this issue you can forward the request to the login page passing an error code. Order in web.xml is important, here is a working example:
<error-page> <exception-type>org.springframework.security.web.authentication.rememberme.CookieTheftException</exception-type> <location>/WEB-INF/jsp/login.jsp?error=sessionExpired</location> </error-page> <error-page> <exception-type>java.lang.Exception</exception-type> <location>/WEB-INF/jsp/uncaughtException.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/WEB-INF/jsp/uncaughtException.jsp</location> </error-page>
No comments:
Post a Comment