• Icon: Suggestion Suggestion
    • Resolution: Duplicate
    • None
    • None
    • None
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      I just clicked View comment link from a pull request email and got a CookieTheftException on Tomcat's default error page. After I got that I checked my cookies for stash.atlassian.com and neither my session cookie (JSESSIONID) nor my remember me (SPRING_SECURITY_REMEMBER_ME_COOKIE) cookie were there. I've got no idea how to reproduce this situation, since when I went to https://stash.atlassian.com afterwards I was presented with the login form again.

      org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
      	org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102)
      	org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115)
      	org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
      	org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
      	org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
      	org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
      	org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
      	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
      	com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:111)
      

      ...

            [BSERV-3054] CookieTheftException escaped

            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow [ 3396067 ] New: JAC Suggestion Workflow 3 [ 3624094 ]
            Status Original: RESOLVED [ 5 ] New: Closed [ 6 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: BSERV Suggestions Workflow [ 2686805 ] New: JAC Suggestion Workflow [ 3396067 ]
            Owen made changes -
            Workflow Original: Stash Workflow [ 460725 ] New: BSERV Suggestions Workflow [ 2686805 ]
            Status Original: Closed [ 6 ] New: Resolved [ 5 ]
            Stefan Saasen (Inactive) made changes -
            Affects Version/s Original: 2.1.0 [ 29717 ]
            Issue Type Original: Improvement [ 4 ] New: Suggestion [ 10000 ]
            Priority Original: Major [ 3 ]
            Seb Ruiz (Inactive) made changes -
            Resolution New: Duplicate [ 3 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]
            Seb Ruiz (Inactive) made changes -
            Link New: This issue duplicates STASH-2814 [ STASH-2814 ]

            Hi Fabian,
            This is most likely a duplicate of STASH-2814. If you see this again or have any supporting evidence that this is actually a different issue, please reopen this issue or leave a comment on STASH-2814!

            Thanks,
            Seb

            Seb Ruiz (Inactive) added a comment - Hi Fabian, This is most likely a duplicate of STASH-2814 . If you see this again or have any supporting evidence that this is actually a different issue, please reopen this issue or leave a comment on STASH-2814 ! Thanks, Seb
            fabs (Inactive) made changes -
            Description Original: I just clicked [View comment|https://stash.atlassian.com/projects/CONF/repos/confluence/pull-requests/527/overview?commentId=2143] link from a pull request email and got a CookieTheftException on Tomcat's default error page. After I got that I checked my cookies for stash.atlassian.com and neither my session cookie (JSESSIONID) nor my remember me (SPRING_SECURITY_REMEMBER_ME_COOKIE) cookie were there. I've got no idea how to reproduce this situation, since when I went to https://stash.atlassian.com afterwards I was presented with the login form again.

            {code}
            org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
            org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102)
            org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115)
            org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:111)
            ...
            {code}
            New: I just clicked [View comment|https://stash.atlassian.com/projects/CONF/repos/confluence/pull-requests/527/overview?commentId=2143] link from a pull request email and got a CookieTheftException on Tomcat's default error page. After I got that I checked my cookies for stash.atlassian.com and neither my session cookie (JSESSIONID) nor my remember me (SPRING_SECURITY_REMEMBER_ME_COOKIE) cookie were there. I've got no idea how to reproduce this situation, since when I went to https://stash.atlassian.com afterwards I was presented with the login form again.

            {code}
            org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
            org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102)
            org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115)
            org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:111)
            {code}
            [...|https://paste.atlassian.com/view/10433]
            fabs (Inactive) made changes -
            Description Original: I just clicked [View comment|https://stash.atlassian.com/projects/CONF/repos/confluence/pull-requests/527/overview?commentId=2143] link from a pull request email and got a CookieTheftException on Tomcat's default error page. After I got that I checked my cookies for stash.atlassian.com and neither my session cookie (JSESSIONID) nor my remember me (SPRING_SECURITY_REMEMBER_ME_COOKIE) cookie were there. I've got no idea how to reproduce this situation, since when I went to https://stash.atlassian.com afterwards I was presented with the login form again. New: I just clicked [View comment|https://stash.atlassian.com/projects/CONF/repos/confluence/pull-requests/527/overview?commentId=2143] link from a pull request email and got a CookieTheftException on Tomcat's default error page. After I got that I checked my cookies for stash.atlassian.com and neither my session cookie (JSESSIONID) nor my remember me (SPRING_SECURITY_REMEMBER_ME_COOKIE) cookie were there. I've got no idea how to reproduce this situation, since when I went to https://stash.atlassian.com afterwards I was presented with the login form again.

            {code}
            org.springframework.security.web.authentication.rememberme.CookieTheftException: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
            org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.processAutoLoginCookie(PersistentTokenBasedRememberMeServices.java:102)
            org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.autoLogin(AbstractRememberMeServices.java:115)
            org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
            org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
            com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:111)
            ...
            {code}
            fabs (Inactive) created issue -

              Unassigned Unassigned
              fakraemer fabs (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: