SEC-1356: AbstractRememberMeServices#extractRememberMeCookie may use cookie from different context #1600

Closed
spring-issuemaster opened this Issue Jan 6, 2010 · 3 comments

1 participant

@spring-issuemaster

Zbigniew Ruchała (Migrated from SEC-1356) said:

AbstractRememberMeServices#extractRememberMeCookie verifies cookie only by its name but #cancelCookie or #setCookie use path as well. It leads to the problem when more than one application, deployed under different contexts, are hosted on the same machine. While cookie from app (/) is used to login into (/service), when user logout from /service cookie does not vanish (#cancelCookie sets path).

@spring-issuemaster

Luke Taylor said:

I've modified extractRememberMeCookie to check the path of the incoming cookie against the context path of the request, which should prevent cookies from being mixed up. If someone wants to share them, they should override the setting and extraction methods to use a less-specific path.

@spring-issuemaster

Luke Taylor said:

This change doesn't make sense, as the browser won't submit the path with the cookie. It only uses the path to decided whether to submit the cookie with a request.

@spring-issuemaster

Luke Taylor said:

I've reverted the changes for this issue. I think it will be a "won't fix". You will probably have to use different cookie names for different applications, or deploy them under separate distinct paths which don't match.

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment