Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1356: AbstractRememberMeServices#extractRememberMeCookie may use cookie from different context #1600

spring-issuemaster opened this Issue Jan 6, 2010 · 3 comments


None yet
1 participant

Zbigniew Ruchała (Migrated from SEC-1356) said:

AbstractRememberMeServices#extractRememberMeCookie verifies cookie only by its name but #cancelCookie or #setCookie use path as well. It leads to the problem when more than one application, deployed under different contexts, are hosted on the same machine. While cookie from app (/) is used to login into (/service), when user logout from /service cookie does not vanish (#cancelCookie sets path).

Luke Taylor said:

I've modified extractRememberMeCookie to check the path of the incoming cookie against the context path of the request, which should prevent cookies from being mixed up. If someone wants to share them, they should override the setting and extraction methods to use a less-specific path.

Luke Taylor said:

This change doesn't make sense, as the browser won't submit the path with the cookie. It only uses the path to decided whether to submit the cookie with a request.

Luke Taylor said:

I've reverted the changes for this issue. I think it will be a "won't fix". You will probably have to use different cookie names for different applications, or deploy them under separate distinct paths which don't match.

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment