I'm trying to fix a remember-me related problem. This function was built manually, without Spring Security. Here are some details.
- I wanted to use Spring Security to implement remember-me functionality, but...
- We don't have user related data in our DB. The data is only accessible with a 3rd party API. And the API returns the data via cookies. And I don't know how to use this with Spring Security.
- I'm working on a legacy server without Spring Security. Maybe a bit late to implement Spring Security.
- So I decided to make my own version using an interceptor referencing this. It works like this.
- Remember-me cookie stores "{series}:{hashed token}" string value.
- DB has a remember-me table that stores series, encrypted tokens, user IDs.
- Remember-me interceptor is triggered by any requests when a user has remember-me cookie AND no user data in the session.
- The interceptor compares remember-me values between cookie and DB. If it's a match, do login procedure and update token. else delete the cookie value.
- It works fine in most cases. But...
- Synchronization problem: Sometimes, two requests come at the same time from a user(I don't know why). A request updates token. But the other doesn't know this. So tokens are different. Deletes the cookie. The user is not logged in.
- There might be other problems that I don't recognize.
- Note
- This server has multiple instances. So I guess synchronization block will not work.
- I don't know why this double request happens. I'm looking into it, but no luck so far.
- Considering solutions
- Not to remove the cookie when the remember-me attempt fails. So the cookie will stay and retry when next request comes.
- Remember-me table records updated datetime. So, I can ignore a request if the time between current and updated time is less than x seconds.
How do I solve this sync problem?
