Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remember me doesn't work correctly with an ajax request #508

Open
codeconsole opened this issue Sep 3, 2017 · 4 comments
Open

Remember me doesn't work correctly with an ajax request #508

codeconsole opened this issue Sep 3, 2017 · 4 comments
Assignees
@guillermocalvo

Comments

@codeconsole
Copy link
Contributor

  • User Logged in with Remember Me
  • Session Times out (usually after 30 minutes)
  • Left browser window open and proceeds to make Ajax request

Request returns a status code 302 with a redirect to '/login/ajaxSuccess' or whatever is defined as the ajaxSuccessUrl

    authenticationSuccessHandler(AjaxAwareAuthenticationSuccessHandler) {
  			requestCache = ref('requestCache')
  			defaultTargetUrl = '/'
  			alwaysUseDefaultTargetUrl = false
  			targetUrlParameter = 'spring-security-redirect'
  			ajaxSuccessUrl = '/login/ajaxSuccess'
  			useReferer = false
  			redirectStrategy = ref('redirectStrategy')
  		}

Correct behavior should be to process the request as normal as the user is already logged in from RemeberMeServices
@sdelamo
Copy link
Contributor

sdelamo commented Sep 20, 2017

Could you provide a sample application?

@mamunsrdr
Copy link

Same issue grails 3.3.2 and plugin with 3.2.0. example uploaded: https://github.com/mamunsrdr/grails-sec-issue.
stated in #527 case 3.

@puneetbehl puneetbehl self-assigned this Feb 6, 2018
@mattnicolls
Copy link

I'm having this issue as well. In my case, the request is redirected to ajaxSuccess, returns a 200 success, and the response body looks like this { success: true, username='...' }. This was particularly frustrating because my javascript code was looking for success===true in the response handler. So between the 200 HTTP CODE and the success: true in the response body, my code (and the end user) believed the request went through and all was well.

Unfortunately this was not the case, and I think I know why. If the originating request was a GET, then after spring security intercepted the request, redirected to login, login processed the remember_me logic, it could then redirect back to the original GET request. But in my case it is a POST, and you cannot redirect a POST request.

So I need to scour my app code looking for POST/PUT requests and adding some logic to auto retry my request in this scenario - which is really a pain. It would be better if spring security would re-login the user without doing any redirect at all.

I'll look into the grails remember-me config to see if there is a way to do this...

@lucyhebert
Copy link

Hello, I have the same problem here, is there anything new about this, or maybe there is a workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guillermocalvo guillermocalvo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@codeconsole @sdelamo @guillermocalvo @puneetbehl @mattnicolls @mamunsrdr @lucyhebert