Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.4 Larks
    • Fix Version/s: 2.8 Larks
    • Labels:
      None
    • Sprint:
      2.5 Larks, 2.6 Larks, 2.8 Larks

      Description

      I get redirected to login page if my session expired:

      2014-01-18 08:14:11 [DEBUG][http-8080-14    ][][org.jtalks.jcommune.web.rememberme.RememberMeServices] - Refreshing persistent login token for user 'Староверъ', series 'pgC9QXNyn
      5dZSfIhjlDc9A=='
      2014-01-18 08:14:11 [DEBUG][http-8080-14    ][][org.jtalks.jcommune.web.rememberme.RememberMeServices] - Remember-me cookie accepted
      2014-01-18 08:14:11 [ERROR][http-8080-15    ][][org.jtalks.jcommune.web.rememberme.RememberMeCheckService] - Староверъ presented token oTuxTvOvf/MRP2CGWlcSvw== of series pgC9QXNy
      n5dZSfIhjlDc9A== isn't equal for persistent token Yc4p9cr6zyEcXFJekWWkrQ==
      2014-01-18 08:14:11 [DEBUG][http-8080-15    ][][org.jtalks.jcommune.web.rememberme.RememberMeServices] - Remember-me cookie detected
      2014-01-18 08:14:11 [DEBUG][http-8080-15    ][][org.jtalks.jcommune.web.rememberme.RememberMeServices] - Cancelling cookie
      2014-01-18 08:14:11 [ERROR][http-8080-15    ][][rg.jtalks.jcommune.web.controller.ExceptionHandlerController] - RememberMe exception:
      org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
              at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:90
      )
              at org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:91)
              at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:77)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
              at org.jtalks.jcommune.web.filters.UsernamePasswordAuthenticationFilter.doFilter(UsernamePasswordAuthenticationFilter.java:63)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
              at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
              at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
              at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
              at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

        Issue Links

          Activity

          Hide
          mixaS Mikhail Stryzhonak added a comment -

          Yuliya Selyugina seems like this steps is not suitable for this issue. It can be reproduced following this steps and it is expected behaviour. You should use steps which i described above to test this issue.

          Show
          mixaS Mikhail Stryzhonak added a comment - Yuliya Selyugina seems like this steps is not suitable for this issue. It can be reproduced following this steps and it is expected behaviour. You should use steps which i described above to test this issue.
          Hide
          xcandlelight Yuliya Selyugina added a comment - - edited

          Mikhail Stryzhonak Those steps led me exactly to the mentioned bug on javatalks.ru and only after that I tested this issue on qa instance, so please check this out.

          Show
          xcandlelight Yuliya Selyugina added a comment - - edited Mikhail Stryzhonak Those steps led me exactly to the mentioned bug on javatalks.ru and only after that I tested this issue on qa instance, so please check this out.
          Hide
          mixaS Mikhail Stryzhonak added a comment -

          Yuliya Selyugina after this steps error may occurr and it is expected behaviour. Because request with authentication info was send by client and processed by server. Authentication information was changed by server but response with new info was not recieved by client. After second pressing F5 client sends old authentication information which already isn't valid.

          Show
          mixaS Mikhail Stryzhonak added a comment - Yuliya Selyugina after this steps error may occurr and it is expected behaviour. Because request with authentication info was send by client and processed by server. Authentication information was changed by server but response with new info was not recieved by client. After second pressing F5 client sends old authentication information which already isn't valid.
          Hide
          xcandlelight Yuliya Selyugina added a comment -

          error may occurr and it is expected behaviour.

          It not only may occur, but it does always occurs on prod and never occurs on qa now. Is there something wrong now with qa instance then?
          P.S. It's not easy to reproduce your steps, because my browser proposes another instances, how can I deal with it? I tried to reproduce it stubbornly and didn't have any problems on both instances.

          Show
          xcandlelight Yuliya Selyugina added a comment - error may occurr and it is expected behaviour. It not only may occur, but it does always occurs on prod and never occurs on qa now. Is there something wrong now with qa instance then? P.S. It's not easy to reproduce your steps, because my browser proposes another instances, how can I deal with it? I tried to reproduce it stubbornly and didn't have any problems on both instances.
          Hide
          ctapobep Stanislav Bashkyrtsev added a comment -

          I think both ways are equally valid.

          Show
          ctapobep Stanislav Bashkyrtsev added a comment - I think both ways are equally valid.

            People

            • Assignee:
              xcandlelight Yuliya Selyugina
              Reporter:
              ctapobep Stanislav Bashkyrtsev
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h
                4h

                  Issue Risks

                    Development

                      Agile

                        Structure Helper Panel