2 Replies Latest reply on Apr 26, 2010 5:22 AM by Jie Liu

    Token based RememberMe: cookie not updated with HTTP 302 status

    Jie Liu Newbie

      Hi, all. I'm using Seam 2.1.2 in my project and found a strange problem. I'm using token based RememberMe with JpaTokenStore. The problem is that RemembeMe works in the first time a user tries to access proected resources but it will become invalid after that.


      After debugging the application I found the reason is here: After quietLogin successfully, Remember.postAuthenticate get invoked. In this method these lines are executed:


       String value = generateTokenValue();
                  tokenStore.createToken(identity.getPrincipal().getName(), value);
                  tokenSelector.setCookieEnabled(enabled);
                  tokenSelector.setCookieMaxAge(cookieMaxAge);
                  tokenSelector.setCookieValueIfEnabled(encodeToken(identity.getPrincipal().getName(), value));            
           
      



      Here the authenticationtoken in database is updated and tokenSelector tries to set a new cookie value with new generated token. Maybe because my application use redirect.returnToCapturedView after login, the server sends a HTTP 302 Moved Temporarily code to the browser. What I found is that the cookie value is not updated in the response header. I made some search but didn't find any useful information.  Is it because it is a HTTP 302 status? If so how can I solve this problem and let the cookie value get updated?



        • 1. Re: Token based RememberMe: cookie not updated with HTTP 302 status
          Jie Liu Newbie

          Sorry that piece of code is from RememberMe.postAuthenticate. I wrote a wrong class name in my post.

          • 2. Re: Token based RememberMe: cookie not updated with HTTP 302 status
            Jie Liu Newbie

            For those who have same problem as me. I found a temp solution for this problem. The easist way is to change the postAuthenticate of org.jboss.seam.security.RememberMe to the following content:


            @Observer(Identity.EVENT_POST_AUTHENTICATE)
               public void postAuthenticate(Identity identity)
               {
                  if (mode.equals(Mode.usernameOnly))
                  {
                     // Password is set to null during authentication, so we set dirty
                     usernameSelector.setDirty();
                           
                     if ( !enabled )
                     {
                        usernameSelector.clearCookieValue();
                     }
                     else
                     {
                        usernameSelector.setCookieMaxAge(cookieMaxAge);
                        usernameSelector.setCookieValueIfEnabled( Identity.instance().getCredentials().getUsername() );
                     }
                  }
                  else if (mode.equals(Mode.autoLogin))
                  {
                     tokenSelector.setDirty();
                     
                     DecodedToken decoded = new DecodedToken(tokenSelector.getCookieValue());
                     
                     // Invalidate the current token (if it exists) whether enabled or not
                     if (decoded.getUsername() != null)
                     {
                        tokenStore.invalidateToken(decoded.getUsername(), decoded.getValue());
                     }
                     
                     if ( !enabled ) 
                     {
                        tokenSelector.clearCookieValue();         
                     }
                     else if(!autoLoggedIn)
                     {
                        String value = generateTokenValue();
                        tokenStore.createToken(identity.getPrincipal().getName(), value);
                        tokenSelector.setCookieEnabled(enabled);
                        tokenSelector.setCookieMaxAge(cookieMaxAge);
                        tokenSelector.setCookieValueIfEnabled(encodeToken(identity.getPrincipal().getName(), value));            
                     }
                  }
               }        
              
            



            Actually just need to change the else in this block:


             else
                     {
                        String value = generateTokenValue();
                        tokenStore.createToken(identity.getPrincipal().getName(), value);
                        tokenSelector.setCookieEnabled(enabled);
                        tokenSelector.setCookieMaxAge(cookieMaxAge);
                        tokenSelector.setCookieValueIfEnabled(encodeToken(identity.getPrincipal().getName(), value));            
                     }
            



            change the else to else if(!autoLoggedIn)