Describe the bug
The remember-me token is not invalidated when navigating to the logout URL using a request which includes both of: * a missing, invalid, or expired session cookie * a valid remember-me token cookie
This occurs because the spring-security logout filter is applied before session-management, remember-me authentication, and any other authentication filters.
To Reproduce
- Login to a spring-security application, with session management, remember-me authentication, and logout configured.
- Remove the session cookie, or replace with an invalid cookie.
- Navigate to the logout URL.
- Attempt to auto-login using the remember-me token, login succeeds.
Step 2 is not likely to occur in practice. However, the following is possible in a real-world-scenario, but is difficult to reproduce. During the login request (step 2), the following occurs:
- The session cookie in the browser is included in the logout request, and the request sent.
- The session expires.
- The server subsequently receives the request.
In this scenario, the remember-me token should definitely be invalidated. However, I expect that it would not be as the LogoutFilter is applied before the session-management and remember-me authentication filters.
Expected behavior In the above scenarios, we expect the remember-me token to have been invalidated. Thus subsequent auto-login attempts using that token should fail.
Sample
Not provided.
Comment From: drzuby
Are there any plans to address this issue? I've also encountered it in my appliacation and it is serious security leak.
Comment From: theMyth721
I am experiencing the same thing. I am building my own Spring Boot starter, After the session expires i am not able to clear the remember me token on log out and I get a 403. I could easily create my own filter that does this and place it before the logout filter, but I wonder if there will be any other side effects, i have been told the filter order is important. There is not an ounce of documentation that mentions anything about this anywhere