/**
* http://jaspan.com/improved_persistent_login_cookie_best_practice
*/
@Transactional(rollbackFor=StaleStateException.class)
public User rememberMeLogin(String token, String series) {
User existingLogin = userDao.getLoginFromAuthToken(token, series);
if (existingLogin == null) {
User loginBySeries = userDao.getByPropertyValue(User.class, "loginSeries", series);
// if a login series exists, assume the previous token was stolen, so deleting all persistent logins.
// An exception is a request made within a few seconds from the last login time
// which may mean request from the same browser that is not yet aware of the renewed cookie
if (loginBySeries != null && new Period(loginBySeries.getLastLoginTime(), new DateTime()).getSeconds() < 5) {
logger.info("Assuming login cookies theft; deleting all sessions for user " + loginBySeries);
loginBySeries.setLoginSeries(null);
loginBySeries.setLoginToken(null);
userDao.persist(loginBySeries);
} else if (logger.isDebugEnabled()) {
logger.debug("No existing login found for token=" + token + ", series=" + series);
}
return null;