我正在使用 spring 记住我的服务。我看到一个奇怪的行为。
我正在采取的步骤:
使用用户名/密码登录我的网站并选中记住我复选框
比我关闭浏览器并打开一个新浏览器并打开一个新浏览器。从技术上讲,我必须自动登录。这也在发生。我正在使用
PersistentTokenBasedRememberMeServices.现在我再次关闭浏览器并再次打开一个新浏览器,当我尝试访问我的网站时,出现以下异常:
SEVERE: Servlet.service() for servlet [appServlet] in context with path [/Spring-Security] threw exception org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack. at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102) at org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)我深入研究,我看到我的最后两个请求记住我令牌
SPRING_SECURITY_REMEMBER_ME_COOKIE的值是bUpwUUJ3dGpUcVJjaGpIYXJxcmFkdz09OlBBRlZXbDVnYmZZQjM2RmFYVDNVMXc9PQ
但是弹簧解码了(org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.tokenRepository)
final String presentedSeries = cookieTokens[0];
final String presentedToken = cookieTokens[1];
在第一个请求中正确,但在第二个请求中,它解码了 presentToken 一些不同的东西,导致 cookie 盗窃异常。
这是正确的行为吗?我该如何解决这个问题?