Spring Security TokenBasedRememberMeServices Refreshing Token Between Multiple Requests Results in Cookie theft Exception

Currently the autoLogin cookie function

    protected UserDetails processAutoLoginCookie(String[] cookieTokens,
            HttpServletRequest request, HttpServletResponse response) {

refreshes the token at the end of the function, and sets a new cookie. But if multiple requests come at the same time when re-loading a page, it results in cookie theft exception because the old cookie is still being presented while the new cookie has just been set, at the same time.

One fix for this would be to not invalidate the old cookie instantly, but give it another few seconds to remain valid, that way this concurrency issue will not happen. Even 10 seconds should be enough time. Once the concurrent issue happens then the used is logged out completely, even though they had a perfectly good remember-me token.

Perhaps this could be added as a feature that can be turned on/off?.. something like "old_token_time_to_live" . It seems other have complained of the same issue. I see it routinely on my site since I have lots of images and they're all loading concurrently.

org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.

https://stackoverflow.com/questions/17425275/how-to-fix-invalid-remember-me-token-series-token-mismatch-error/40140189#40140189

Comment From: marcusdacoregio

Closing as duplicate of https://github.com/spring-projects/spring-security/issues/2648