CookieTheftException after rollout of new version

We have done a rollout for a new version of our application. One user got the following exception on login.

CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
Stacktrace
2021-12-03 06:07:39.215 ERROR 65653 --- [http-nio-8080-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
    at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:113) ~[spring-security-web-5.5.2.jar!/:5.5.2]
    at org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:136) ~[spring-security-web-5.5.2.jar!/:5.5.2]
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:104) ~[spring-security-web-5.5.2.jar!/:5.5.2]
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92) ~[spring-security-web-5.5.2.jar!/:5.5.2]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.5.2.jar!/:5.5.2]
1 Like

Hi,
Ok, but what is the question?

Sorry, I forgot to mention, that no screen and no message loads for the user and we only found the exception and the stacktrace in the logs. So we had to guide him to delete the cookies manually.

The question is, how we can avoid this exception.
Can we change something in rollout process that the remember me cookies stay valid or is there any way, to catch the exception and if so how do we handle it?

Regards

Well, the cookie in browser should be erased after the application throws the CookieTheftException. When I tried to reproduce the problem, then first I got the tomcat error screen, then after I refreshed the page, I got the login screen and could login after that. No need to manually erase the cookie. Did you have another experience?

I’ve created an issue. We should probably redirect to the login page after the exception occurs.

As I understand, deploying the new application version should not affect the remember-me cookie.

1 Like

Hi,
thanks for your Reply.
We will watch this at deployment of next version.
Regards