Spring Security Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack

Question

i have a GWT application using Spring Security3.1.2 running in a tomcat 7. i am using UsernamePasswordAuthenticationFilter and PersistentTokenBasedRememberMeServices to pers

Answer 1

I had the same error and notice that it was trying to auto login every request where the security chain was being ignored. You can see which ones by doing

public void configure(WebSecurity web) throws Exception {
    web
        .debug(true)
        .ignoring()
        .antMatchers("/css/**", "/js/**", "/img/**");
}

After this I notice js files and css files where skipping the security chain, I removed those mappings and remember me started working as it should.

public void configure(WebSecurity web) throws Exception {
    web
        .debug(true)
        .ignoring()
        .antMatchers("/img/**");
}