From 74f8534b176c05d8678040b8be31e34a19d8820f Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 4 Feb 2015 15:57:45 -0600 Subject: [PATCH] SEC-2791: AbstractRememberMeServices sets the version If the maxAge < 1 then the version must be 1 otherwise browsers ignore the value. --- .../AbstractRememberMeServices.java | 4 ++ .../AbstractRememberMeServicesTests.java | 40 +++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java index ee25aee4ca..ec6670d83b 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServices.java @@ -349,6 +349,10 @@ public abstract class AbstractRememberMeServices implements RememberMeServices, cookie.setMaxAge(maxAge); cookie.setPath(getCookiePath(request)); + if(maxAge < 1) { + cookie.setVersion(1); + } + if (useSecureCookie == null) { cookie.setSecure(request.isSecure()); } else { diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java index 2417efc583..9188092a86 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java @@ -1,5 +1,6 @@ package org.springframework.security.web.authentication.rememberme; +import static org.fest.assertions.Assertions.*; import static org.powermock.api.mockito.PowerMockito.*; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -352,6 +353,45 @@ public class AbstractRememberMeServicesTests { assertNull(ReflectionTestUtils.getField(services, "setHttpOnlyMethod")); } + // SEC-2791 + @Test + public void setCookieMaxAge0VersionSet() { + MockRememberMeServices services = new MockRememberMeServices(); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + services.setCookie(new String[] {"value"}, 0, request, response); + + Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); + assertThat(cookie.getVersion()).isEqualTo(1); + } + + // SEC-2791 + @Test + public void setCookieMaxAgeNegativeVersionSet() { + MockRememberMeServices services = new MockRememberMeServices(); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + services.setCookie(new String[] {"value"}, -1, request, response); + + Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); + assertThat(cookie.getVersion()).isEqualTo(1); + } + + // SEC-2791 + @Test + public void setCookieMaxAge1VersionSet() { + MockRememberMeServices services = new MockRememberMeServices(); + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpServletResponse response = new MockHttpServletResponse(); + + services.setCookie(new String[] {"value"}, 1, request, response); + + Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); + assertThat(cookie.getVersion()).isEqualTo(0); + } + private Cookie[] createLoginCookie(String cookieToken) { MockRememberMeServices services = new MockRememberMeServices(); Cookie cookie = new Cookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY,