SEC-1827: Remember me use-secure-cookie set to false does not actually prevent the cookie being flagged as secure #2057

Closed
spring-issuemaster opened this Issue Sep 24, 2011 · 0 comments

2 participants

@spring-issuemaster

Corrado Alesso (Migrated from SEC-1827) said:

In the namespace configuration for Remember me there is the "use-secure-cookie" that should allow the user to choose wether to flag the cookie as secure or not.

Actually, I think there are 3 scenarios. Flag as secure, Dont flag as secure, and (default behaviour) let the container decide based on the original request.

But the code of RememberMeAuthenticationFilter and AbstractRememberMeServices do not allow the second scenario.

RememberMeAuthenticationFilter line 348 (3.1 RC3):

if (useSecureCookie == null) {
    cookie.setSecure(request.isSecure());
} else {
    cookie.setSecure(useSecureCookie);
}

I read this code as "the default behaviour is to flag the cookie based on the original request, otherwise do what the user told us". Unfortunately, useSecureCookie property is never "false" (even if the user set false in the namespace config) because of this code in RememberMeBeanDefinitionParser, line 101:

if ("true".equals(element.getAttribute(ATT_SECURE_COOKIE))) {
    services.getPropertyValues().addPropertyValue("useSecureCookie", true);
}

Letting the user choose the flag can prevent the recurring problem of "login page in https, everything else in http" because the remember me cookie will be sent.

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment