问题描述
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102)
at org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115)
我注意到 processAutoLoginCookie
方法被调用两次。方法本身的行为似乎是正确的,例如,更新数据库中的令牌并更新客户端中的cookie。
任何有关这方面的帮助将不胜感激。
What I notice is that the processAutoLoginCookie
method gets called twice. The behavior of the method itself seems to be correct, for example , update the token in the database and update the cookie in the client.Any help on this would be appreciated.
推荐答案
在等待某人发布此问题的答案时,我想到更好地解决这个问题。默认情况下,PersistentTokenBasedRememberMeServices.processAutoLoginCookie()更新每个请求的标记。我的解决方案是覆盖processAutoLoginCookie()的行为并删除cookie部分的更新。这解决了cookietheft异常,但这将为攻击者打开一个安全漏洞,因为cookie不会针对每个请求进行更新。如果攻击者能够窃取cookie,他可以使用该cookie访问受保护的站点。为了防止这种情况发生,我正在考虑添加一个IP地址作为cookie的一部分,如果cookie来自会话的所有者,则验证每个请求。我还没有实现IP验证,但对我来说这是解决这个问题的更好方法。
While waiting for somebody to post an answer to this question, I thought of a better solution to this issue. By default, the PersistentTokenBasedRememberMeServices.processAutoLoginCookie() updates the token for every request. My solution to this is to override the behaviour of processAutoLoginCookie() and removed the updating of the cookie part. This solves the cookietheft exception but this will open a security hole to the attacker since the cookie doesn't updates for every request. If the attacker able to steal the cookie, he can use that cookie to access the protected site. To prevent that to happen, I'm thinking of adding an IP address as part of to the cookie and validate every request if the cookie comes from the owner of the session. I haven't implemented the IP validation but for me this is the better way to solve this problem.
我希望这也有助于你们中的一些人遇到同样的问题。
I hope this also helps to some of you having the same issue I have.
这篇关于无效的记住我令牌(系列/令牌)不匹配。意味着以前的cookie盗窃攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!