Merge pull request #762 from stianst/master

KEYCLOAK-753 Add 'username:' prefix to remember me cookie to prevent iss...

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java

@@ -199,13 +199,7 @@ public class SamlService {
         LoginFormsProvider forms = Flows.forms(session, realm, clientSession.getClient(), uriInfo)
                 .setClientSessionCode(new ClientSessionCode(realm, clientSession).getCode());
 
-        String rememberMeUsername = null;
-        if (realm.isRememberMe()) {
-            Cookie rememberMeCookie = headers.getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
-            if (rememberMeCookie != null && !"".equals(rememberMeCookie.getValue())) {
-                rememberMeUsername = rememberMeCookie.getValue();
-            }
-        }
+        String rememberMeUsername = AuthenticationManager.getRememberMeUsername(realm, headers);
 
         if (rememberMeUsername != null) {
             MultivaluedMap<String, String> formData = new MultivaluedMapImpl<String, String>();

services/src/main/java/org/keycloak/protocol/oidc/OpenIDConnectService.java

@@ -820,13 +820,7 @@ public class OpenIDConnectService {
         LoginFormsProvider forms = Flows.forms(session, realm, clientSession.getClient(), uriInfo)
                 .setClientSessionCode(new ClientSessionCode(realm, clientSession).getCode());
 
-        String rememberMeUsername = null;
-        if (realm.isRememberMe()) {
-            Cookie rememberMeCookie = headers.getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
-            if (rememberMeCookie != null && !"".equals(rememberMeCookie.getValue())) {
-                rememberMeUsername = rememberMeCookie.getValue();
-            }
-        }
+        String rememberMeUsername = AuthenticationManager.getRememberMeUsername(realm, headers);
 
         if (loginHint != null || rememberMeUsername != null) {
             MultivaluedMap<String, String> formData = new MultivaluedMapImpl<String, String>();

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -145,7 +145,21 @@ public class AuthenticationManager {
         boolean secureOnly = realm.getSslRequired().isRequired(connection);
         // remember me cookie should be persistent (hardcoded to 365 days for now)
         //NewCookie cookie = new NewCookie(KEYCLOAK_REMEMBER_ME, "true", path, null, null, realm.getCentralLoginLifespan(), secureOnly);// todo httponly , true);
-        CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, username, path, null, null, 31536000, secureOnly, true);
+        CookieHelper.addCookie(KEYCLOAK_REMEMBER_ME, "username:" + username, path, null, null, 31536000, secureOnly, true);
+    }
+
+    public static String getRememberMeUsername(RealmModel realm, HttpHeaders headers) {
+        if (realm.isRememberMe()) {
+            Cookie cookie = headers.getCookies().get(AuthenticationManager.KEYCLOAK_REMEMBER_ME);
+            if (cookie != null) {
+                String value = cookie.getValue();
+                String[] s = value.split(":");
+                if (s[0].equals("username") && s.length == 2) {
+                    return s[1];
+                }
+            }
+        }
+        return null;
     }
 
     protected static String encodeToken(RealmModel realm, Object token) {