>>>>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org: > The only thing I can think of is to give you some examples from my > application: > https://github.com/lprimak/apps/blob/main/emailmanager/src/main/java/com/flowlogix/website/security/CipherKeySource.java
Just seeing if I'm interpreting this correctly: this is base64-encoding of the cipher key that's autogenerated every time the app starts? > https://github.com/lprimak/apps/blob/main/emailmanager/hope-website/WEB-INF/shiro.ini Hm... I see no setting of the cipherkey in here? What I tried to do was 1. to take the openssl command you sent me and run it 2. that created several hex values 3. I took the "key" value and prefixed it with "0x" and used it as the value of the remembermeManager.cipherKey property in shiro.ini I wasn't sure what the exact problem was: a. That the cipherKey was a binary value stored as a string, without being base64 encoded or 0x prefix on a hex encoding of the value? b. That I did reloads of the server which caused a new AES chipher key (the one you base64 encode in the first URL?) to be generated, and not match the chipherKey used to encode the rememberme cookies? c. That I used the same Realm and Session across multiple applications, and thus needed the same cipherKey for all of them? d. Something completely unrelated to the above? I tried to cure all of a., b. and c., by adding the same constant value to all shiro.ini files. I haven't pushed any of the commits (since they didn't get rid of the error in the logs), but here is one of the shiro.ini files with the setting added: https://gist.github.com/steinarb/d16acbdc6cc35e5cb599f9b4121f6af1#file-shiro-ini-L5 Of course if the reason for the problem is "d." then I have been barking up the wrong tree...? :-)
