SEC-1425: AbstractRememberMeServices not handling properly empty cookie #1668

spring-issuemaster opened this Issue Feb 27, 2010 · 2 comments

1 participant


Cedomir Igaly (Migrated from SEC-1425) said:

Whwn empty cookie is sent to AbstractRememberMeServices, it will throw java.lang.ArrayIndexOutOfBoundsException instead of

This can be fixed by adding

if (tokens.length == 0) {
throw new InvalidCookieException( "No cookie!?");


String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);


Luke Taylor said:

Thanks for spotting this. I think it should only happen if the cookie is empty, so I've added a check for that at an earlier stage, rather than checking the length of the token array.


Cedomir Igaly said:

Don't thamk me - thank spammer(s) who are attacking my site :-)


@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment