Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1425: AbstractRememberMeServices not handling properly empty cookie #1668

spring-issuemaster opened this Issue Feb 27, 2010 · 2 comments


None yet
1 participant

Cedomir Igaly (Migrated from SEC-1425) said:

Whwn empty cookie is sent to AbstractRememberMeServices, it will throw java.lang.ArrayIndexOutOfBoundsException instead of org.springframework.security.web.authentication.rememberme.InvalidCookieException

This can be fixed by adding

if (tokens.length == 0) {
throw new InvalidCookieException( "No cookie!?");


String[] tokens = StringUtils.delimitedListToStringArray(cookieAsPlainText, DELIMITER);

Luke Taylor said:

Thanks for spotting this. I think it should only happen if the cookie is empty, so I've added a check for that at an earlier stage, rather than checking the length of the token array.

Cedomir Igaly said:

Don't thamk me - thank spammer(s) who are attacking my site :-)


@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment