SEC-2791: AbstractRememberMeServices sets the version

If the maxAge < 1 then the version must be 1 otherwise browsers ignore the value.
2025-06-14 08:02:22 +00:00 · 2015-02-04 15:57:45 -06:00 · 2015-02-04 15:57:45 -06:00 · 74f8534b17
commit 74f8534b17
parent 478a9650aa
2 changed files with 44 additions and 0 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java
@ -349,6 +349,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices,
        cookie.setMaxAge(maxAge);
        cookie.setPath(getCookiePath(request));

+        if(maxAge < 1) {
+            cookie.setVersion(1);
+        }
+
        if (useSecureCookie == null) {
            cookie.setSecure(request.isSecure());
        } else {
--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java
@ -1,5 +1,6 @@
 package org.springframework.security.web.authentication.rememberme;

+import static org.fest.assertions.Assertions.*;
 import static org.powermock.api.mockito.PowerMockito.*;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
@ -352,6 +353,45 @@ public class AbstractRememberMeServicesTests {
        assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod"));
    }

+    // SEC-2791
+    @Test
+    public void setCookieMaxAge0VersionSet() {
+        MockRememberMeServices services = new MockRememberMeServices();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        services.setCookie(new String[] {"value"}, 0, request, response);
+
+        Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
+        assertThat(cookie.getVersion()).isEqualTo(1);
+    }
+
+    // SEC-2791
+    @Test
+    public void setCookieMaxAgeNegativeVersionSet() {
+        MockRememberMeServices services = new MockRememberMeServices();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        services.setCookie(new String[] {"value"}, -1, request, response);
+
+        Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
+        assertThat(cookie.getVersion()).isEqualTo(1);
+    }
+
+    // SEC-2791
+    @Test
+    public void setCookieMaxAge1VersionSet() {
+        MockRememberMeServices services = new MockRememberMeServices();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
+        services.setCookie(new String[] {"value"}, 1, request, response);
+
+        Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
+        assertThat(cookie.getVersion()).isEqualTo(0);
+    }
+
    private Cookie[] createLoginCookie(String cookieToken) {
        MockRememberMeServices services = new MockRememberMeServices();
        Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,