Thursday, September 13, 2018

GWT into Spring Boot with remember-me is not working


I have an application based in Spring Boot and the latest GWT 2.8.2. In the application I have some protected resources one with GWT and others with standard Servlets and JSP pages.
Now I have included remember-me feature, the remember-me feature is working with all the protected resources except with GWT section what fails

My GWT Servlets extends RemoteServiceServlet

It is raising this error: Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.

I have debug the internal spring security class PersistentTokenBasedRememberMeServices and the error it is raised because the initial tokenValue for some reason is changed in the middle:

    protected UserDetails processAutoLoginCookie(String[] cookieTokens,
            HttpServletRequest request, HttpServletResponse response) {

        if (cookieTokens.length != 2) {
            throw new InvalidCookieException("Cookie token did not contain " + 2
                    + " tokens, but contained '" + Arrays.asList(cookieTokens) + "'");

        final String presentedSeries = cookieTokens[0];
        final String presentedToken = cookieTokens[1];

        PersistentRememberMeToken token = tokenRepository

        if (token == null) {
            // No series match, so we can't authenticate using this cookie
            throw new RememberMeAuthenticationException(
                    "No persistent token found for series id: " + presentedSeries);

        // We have a match for this user/series combination
        if (!presentedToken.equals(token.getTokenValue())) {
            // Token doesn't match series value. Delete all logins for this user and throw
            // an exception to warn them.

            throw new CookieTheftException(
                            "Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack."));

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment