Login/Register
Shiro: how does remember me work?
Asked Answered
javashiroremember-me
R

2

10

I've got few questions about Shiro's remember me feature:

  1. Why does Shiro generate different "remember me" token values for the same account on each login?
  2. Would a hacker be able to generate a "remember me" token for any account if I use the default CipherKey?
  3. How can I control the "remember me" duration? By Cookie age? So if the client cookie never expires then that "remember me" cookie will work forever?
Rickets answered 29/10, 2014 at 19:42 Comment(0)
S
11

Shiro's default "remember me" functionality is quite problematic, for exactly the reasons you have picked up here. This is an excellent question. I have found the same issues when I started digging into their implementation.

  1. Because a random IV is used each time

    The "remember me" cookie contains only the "Principals", i.e. your username, encrypted with AES (by default). Each time you log in, the exact same information will be encrypted with the exact same key. Shiro does use a random IV by default -- see JcaCipherService, so the encrypted binary blob will appear random on each login.

  2. YES!

    If a hacker knows the username of any account on your website, and if you are using Shiro with its default settings, then it will be easy for them to generate a valid "remember me" token and log into your website.

    Hopefully you have marked all sensitive actions with "@RequiresAuthentication", and don't allow only-remembered users to see anything sensitive, although this would be an easy mistake to make if you did not.

    For this reason, I think it is a big security bug for Shiro to use a default key here. I think Shiro should use a random key by default, or require you to specify a new key if you want to use "remember me". See e.g. https://github.com/pledbrook/grails-shiro/issues/28

  3. YOU MUST TRUST THE CLIENT!

    The "remember me" cookie is set with a "max age" which is 1 year by default -- see CookieRememberMeManager.

    However, Shiro does not include any date information in the encrypted cookie data, so it cannot verify that the client has honoured this time limit.

    I think this is a security bug, and Shiro ought to include the date of generation in the encrypted data, and verify this server-side.

Open Shiro bugs

The following Shiro bugs now track these issues:

Split answered 25/2, 2016 at 17:2 Comment(1)
As a workaround you could implement your own remember me manager (extend CookieRememberMeManager) and do a better job in there. We did this so that we could invalidate remember me cookies on things like password changes and password expirations. Basically, in the user record we keep a counter. We store that in the remember me cookie and check it on verification. If the counter doesn't match what is in the user record, then reject the cookie. Bump the counter and all the outstanding remember me cookies are expired.Bonnard
C
2
  1. Cannot clarify much about this question.
  2. See this BalusC blog post. It has mention about hackers and default cipher key.

  3. By default max age of rememberMe cookie is one year. Accordingly to Shiro documentation you can control max age of that cookie with rememberMeManager:

    securityManager.rememberMeManager.cookie.maxAge = [max_age_in_seconds];
Crannog answered 29/10, 2014 at 20:24 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.