2 Replies Latest reply on Apr 26, 2010 5:22 AM by jayliu2000.jayliu2000.hotmail.com

Token based RememberMe: cookie not updated with HTTP 302 status

jayliu2000.jayliu2000.hotmail.com Apr 24, 2010 2:04 AM

Hi, all. I'm using Seam 2.1.2 in my project and found a strange problem. I'm using token based RememberMe with JpaTokenStore. The problem is that RemembeMe works in the first time a user tries to access proected resources but it will become invalid after that.

After debugging the application I found the reason is here: After quietLogin successfully, Remember.postAuthenticate get invoked. In this method these lines are executed:

 String value = generateTokenValue();
            tokenStore.createToken(identity.getPrincipal().getName(), value);
            tokenSelector.setCookieEnabled(enabled);
            tokenSelector.setCookieMaxAge(cookieMaxAge);
            tokenSelector.setCookieValueIfEnabled(encodeToken(identity.getPrincipal().getName(), value));

Here the authenticationtoken in database is updated and tokenSelector tries to set a new cookie value with new generated token. Maybe because my application use redirect.returnToCapturedView after login, the server sends a HTTP 302 Moved Temporarily code to the browser. What I found is that the cookie value is not updated in the response header. I made some search but didn't find any useful information. Is it because it is a HTTP 302 status? If so how can I solve this problem and let the cookie value get updated?

1. Re: Token based RememberMe: cookie not updated with HTTP 302 status

jayliu2000.jayliu2000.hotmail.com Apr 24, 2010 2:14 AM (in response to jayliu2000.jayliu2000.hotmail.com)

Sorry that piece of code is from RememberMe.postAuthenticate. I wrote a wrong class name in my post.
Actions

2. Re: Token based RememberMe: cookie not updated with HTTP 302 status

jayliu2000.jayliu2000.hotmail.com Apr 26, 2010 5:22 AM (in response to jayliu2000.jayliu2000.hotmail.com)

For those who have same problem as me. I found a temp solution for this problem. The easist way is to change the postAuthenticate of org.jboss.seam.security.RememberMe to the following content:

@Observer(Identity.EVENT_POST_AUTHENTICATE)
   public void postAuthenticate(Identity identity)
   {
      if (mode.equals(Mode.usernameOnly))
      {
         // Password is set to null during authentication, so we set dirty
         usernameSelector.setDirty();
               
         if ( !enabled )
         {
            usernameSelector.clearCookieValue();
         }
         else
         {
            usernameSelector.setCookieMaxAge(cookieMaxAge);
            usernameSelector.setCookieValueIfEnabled( Identity.instance().getCredentials().getUsername() );
         }
      }
      else if (mode.equals(Mode.autoLogin))
      {
         tokenSelector.setDirty();
         
         DecodedToken decoded = new DecodedToken(tokenSelector.getCookieValue());
         
         // Invalidate the current token (if it exists) whether enabled or not
         if (decoded.getUsername() != null)
         {
            tokenStore.invalidateToken(decoded.getUsername(), decoded.getValue());
         }
         
         if ( !enabled ) 
         {
            tokenSelector.clearCookieValue();         
         }
         else if(!autoLoggedIn)
         {
            String value = generateTokenValue();
            tokenStore.createToken(identity.getPrincipal().getName(), value);
            tokenSelector.setCookieEnabled(enabled);
            tokenSelector.setCookieMaxAge(cookieMaxAge);
            tokenSelector.setCookieValueIfEnabled(encodeToken(identity.getPrincipal().getName(), value));            
         }
      }
   }

Actually just need to change the else in this block:

 else
         {
            String value = generateTokenValue();
            tokenStore.createToken(identity.getPrincipal().getName(), value);
            tokenSelector.setCookieEnabled(enabled);
            tokenSelector.setCookieMaxAge(cookieMaxAge);
            tokenSelector.setCookieValueIfEnabled(encodeToken(identity.getPrincipal().getName(), value));            
         }

change the else to else if(!autoLoggedIn)

Go to original post