Remember me
Implementing the remember me option
<http auto-config="true" use-expressions="true" access-decisionmanager-
ref="affirmativeBased">
…
<remember-me key="jbcpPetStore"/>
<logout invalidate-session="true" logout-success-url="/" logouturl="/
logout"/>
</http>
Edit the login.jsp file to add a checkbox similar to the following:
<input id="_spring_security_remember_me" name="_spring_security_
remember_me" type="checkbox" value="true"/>
<label for="_spring_security_remember_me">Remember Me?</label>
<br />
How remember me works
The remember me feature sets a cookie on the user's browser containing a Base64 encoded string with the following pieces:
The user's username
An expiration date/time
An MD5 hash of the expiration date/time, username, and password
The application key defined in the key attribute of the <remember-me> element
MD5 is one of several well-known cryptographic hash algorithms. Cryptographic hash algorithms compute a compact and unique text representation of input data with arbitrary length, called a digest. This digest can be used at other times to verify that unknown input precisely matches the input used to generate the hash, without requiring the availability of the original input. The following diagram illustrates how this works:
Although it is impossible to decode the encrypted data, MD5 is vulnerable to several types of attacks, including the exploit of weaknesses in the algorithm itself and rainbow table attacks. Rainbow tables typically contain the pre-computed hashes of millions of input values. This allows attackers to look for the hash value in the rainbow table and determine the actual (unhashed) value. We'll see a method of combating this in Chapter 4, Securing Credential Storage, when we review password security.
虽然我们不可能解码数据,但是MD5也是有弱点的,比如暴露简单的算法和打表攻击。打表法就是包括非常多的输入值,然后对比结果。
In the case of the remember me cookie, the o.s.s.web.authentication. rememberme.RememberMeAuthenticationFilter inserted into the filter chain by the <remember-me> configuration directive will review the contents of the cookie and use it to authenticate the user if it seems to be an authentic remember me cookie (see the Is remember me secure? section later in this chapter for reasons why this is done).
The following diagram illustrates the different components involved in the process of validating a remember me cookie:
The RememberMeAuthenticationFilter is inserted into the filter chain just after the SecurityContextHolderAwareRequestFilter, and just before the AnonymousProcessingFilter. Just as the other filters in the chain do, the RememberMeAuthenticationFilter will also inspect the request, and if it is of interest, action is taken.
Remember me and the user lifecycle
it can be helpful to be aware of the points in time when remember me services are informed of lifecycle functions:
Remember me configuration directives
Two configuration changes are commonly made to alter the default behavior of the remember me functionality:
As you may infer from the discussion of how the cookie contents are hashed, the key attribute is critical to security of the remember me feature. Make sure that the key you choose is likely to be unique to your application, and long enough so that it can't be easily guessed.
Configuration of remember me session cookies
If token-validity-seconds is set to -1, the login cookie will be set to a session cookie, which does not persist after the user closes their browser. The token will be valid (assuming the user doesn't close their browser) for a non-configurable length of 2 weeks. Don't confuse this with the cookie that stores your user's session ID—they're two different things with similar names!
Is remember me secure?
Any feature related to security that has been added for user convenience has the potential to expose a security risk to our carefully protected site. The remember me feature, in its default form, runs the risk of the user's cookie being intercepted and reused by a malicious user. The following diagram illustrates how this might happen:
Use of SSL (covered in Chapter 4) and other network security techniques can mitigate this type of attack, but be aware that there are other techniques such as cross-site scripting (XSS) that could steal or compromise a remembered user session. While convenient for the user, we don't want to risk financial or other personal information being inadvertently changed or possibly stolen if the remembered session is misused..
Building an IP-aware remember me service
The basic approach for this implementation is to extend the o.s.s.web. authentication.rememberme.TokenBasedRememberMeServices base class and extend it to allow for the addition of the requestor's IP address to both the cookie itself, and to the MD5 hash of the other remember me factors.
Extending the base class will involve overriding two key methods, and overriding or implementing some very minor helper methods. One other twist is that we'll have to temporarily store the HttpServletRequest (which we use to get the user's IP address) into a ThreadLocal, as some of the base class methods don't take HttpServletRequest as a parameter.
Extending TokenBasedRememberMeServices