Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Losing spring security remember me subdomain cookie following redirect

Tags:

java

spring

http-redirect

cookies

spring-security

I believe my issue is something very similar to the following question Spring security 'remember me' cookie not avaiable in first request.

Basically I have a set of applications for a corporate intranet that share authentication through a remember me cookie. The cookie's domain is set to .domain.com so it can be shared across applications since they are all on the same domain or subdomain.

If a user is not logged in and attempts to goto a secured application they are redirected to a central application for login. After logging in the user is redirected to the original application they were sent to the login screen from however here is where the issue begins. On this first request the Remember Cookie will not be present in the HttpServletRequest on the app receiving the redirect and the user will fail to login, being redirect right back to the login screen. At this point though the actual cookie is in existence and valid and the user can manually go to the url they just came from and be logged in by remember me cookie.

For example

domain.com/app -> redirect -> domain.com/main/login -> redirect -> domain.com/app -> redirect -> domain.com/main/login -> manually navigate -> domain.com/app -> logged in.

I've tried several solutions from redirecting on the backend with response.sendRedirect to send the user to an intermediate page first that redirects with JS and none of it has helped. The cookie is simply not there on the first request for the other applications. To make it even more confusing, if the login redirects to the main application that contains the login page, the cookie is there instantly on the first request.

Any thoughts?

like image 419
user1795894 Avatar asked Jan 22 '26 14:01

user1795894

1 Answers

This ended up being do to the request cache getting in the way during our series of post login redirects. Add the following to our java security config fixed the issue.

public HttpSecurity configureHttp(HttpSecurity http, IntranetSecurityAccessDeniedHandler intranetSecurityAccessDeniedHandler) throws Exception {
        http
.requestCache().requestCache(new NullRequestCache()).and()}
like image 117
user1795894 Avatar answered Jan 24 '26 03:01

user1795894

Sign in to Comment

Related questions

Polymorphic Query and Cartesian Product
Resetting FileInputStream in Java so I can run multiple instances of another program in a test program
CSV input to two dimmensional array in java
How to tell that any object in a observable satisfies a condition?
Where is the Sonarlint Ruleset file in eclipse?
Could not GET 'https://dl.google.com/dl/android/maven2/com/android/tools/build/gradle/7.0.2/gradle-7.0.2.pom'
How to create a dynamic variable name ? Android Studio id name problem
How to call a method from a class given that I have the Constructor for it?
Adding to an ArrayList from another class
Unexpected exception after update to vaadin 8
How to get Path to resource folder in jar file
EditText is selected automatically when project is run [duplicate]
Partition an array with this algorithm
Is every class an instance of Class
Eclipse. Error(s) found in manifest configuration. how to fix it?
java - how to delete a node from linkedlist?
Boolean equal: 0 == a, does operand order matter?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!