symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/RememberMeBundle/Security/UserChangingUserProvider.php
Lines changed: 15 additions & 8 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/RememberMeBundle/Security/UserChangingUserProvider.php
Lines changed: 15 additions & 8 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/RememberMeTest.php
Lines changed: 25 additions & 2 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/RememberMeTest.php
Lines changed: 25 additions & 2 deletions
@@ -208,6 +208,7 @@ public function addConfiguration(NodeDefinition $node)
                 ->requiresAtLeastOneElement()
                 ->info('An array of properties on your User that are used to sign the remember-me cookie. If any of these change, all existing cookies will become invalid.')
                 ->example(['email', 'password'])
+                ->defaultValue(['password'])
             ->end()
             ->arrayNode('token_provider')
                 ->beforeNormalization()
 
@@ -21,33 +21,40 @@ class UserChangingUserProvider implements UserProviderInterface
 {
     private $inner;
 
+    public static $changePassword = false;
+
     public function __construct(InMemoryUserProvider $inner)
     {
         $this->inner = $inner;
     }
 
     public function loadUserByUsername($username)
     {
-        return $this->inner->loadUserByUsername($username);
+        return $this->changeUser($this->inner->loadUserByUsername($username));
     }
 
     public function loadUserByIdentifier(string $userIdentifier): UserInterface
     {
-        return $this->inner->loadUserByIdentifier($userIdentifier);
+        return $this->changeUser($this->inner->loadUserByIdentifier($userIdentifier));
     }
 
     public function refreshUser(UserInterface $user)
     {
-        $user = $this->inner->refreshUser($user);
-
-        $alterUser = \Closure::bind(function (InMemoryUser $user) { $user->password = 'foo'; }, null, class_exists(User::class) ? User::class : InMemoryUser::class);
-        $alterUser($user);
-
-        return $user;
+        return $this->changeUser($this->inner->refreshUser($user));
     }
 
     public function supportsClass($class)
     {
         return $this->inner->supportsClass($class);
     }
+
+    private function changeUser(UserInterface $user): UserInterface
+    {
+        if (self::$changePassword) {
+            $alterUser = \Closure::bind(function (InMemoryUser $user) { $user->password = 'changed!'; }, null, class_exists(User::class) ? User::class : InMemoryUser::class);
+            $alterUser($user);
+        }
+
+        return $user;
+    }
 }
@@ -11,8 +11,15 @@
 
 namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
+use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\RememberMeBundle\Security\UserChangingUserProvider;
+
 class RememberMeTest extends AbstractWebTestCase
 {
+    protected function setUp(): void
+    {
+        UserChangingUserProvider::$changePassword = false;
+    }
+
     /**
      * @dataProvider provideConfigs
      */
@@ -51,11 +58,19 @@ public function testUserChangeClearsCookie()
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $cookieJar = $client->getCookieJar();
-        $this->assertNotNull($cookieJar->get('REMEMBERME'));
+        $this->assertNotNull($cookie = $cookieJar->get('REMEMBERME'));
+
+        UserChangingUserProvider::$changePassword = true;
 
+        // change password (through user provider), this deauthenticates the session
         $client->request('GET', '/profile');
         $this->assertRedirect($client->getResponse(), '/login');
         $this->assertNull($cookieJar->get('REMEMBERME'));
+
+        // restore the old remember me cookie, it should no longer be valid
+        $cookieJar->set($cookie);
+        $client->request('GET', '/profile');
+        $this->assertRedirect($client->getResponse(), '/login');
     }
 
     public function testSessionLessRememberMeLogout()
@@ -121,11 +136,19 @@ public function testLegacyUserChangeClearsCookie()
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $cookieJar = $client->getCookieJar();
-        $this->assertNotNull($cookieJar->get('REMEMBERME'));
+        $this->assertNotNull($cookie = $cookieJar->get('REMEMBERME'));
+
+        UserChangingUserProvider::$changePassword = true;
 
+        // change password (through user provider), this deauthenticates the session
         $client->request('GET', '/profile');
         $this->assertRedirect($client->getResponse(), '/login');
         $this->assertNull($cookieJar->get('REMEMBERME'));
+
+        // restore the old remember me cookie, it should no longer be valid
+        $cookieJar->set($cookie);
+        $client->request('GET', '/profile');
+        $this->assertRedirect($client->getResponse(), '/login');
     }
 
     /**
Original file line number	Diff line number	Diff line change
`@@ -21,33 +21,40 @@ class UserChangingUserProvider implements UserProviderInterface`
`21`	`21`	`{`
`22`	`22`	`private $inner;`
`23`	`23`
	`24`	`+ public static $changePassword = false;`
	`25`	`+`
`24`	`26`	`public function __construct(InMemoryUserProvider $inner)`
`25`	`27`	`{`
`26`	`28`	`$this->inner = $inner;`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`public function loadUserByUsername($username)`
`30`	`32`	`{`
`31`		`- return $this->inner->loadUserByUsername($username);`
	`33`	`+ return $this->changeUser($this->inner->loadUserByUsername($username));`
`32`	`34`	`}`
`33`	`35`
`34`	`36`	`public function loadUserByIdentifier(string $userIdentifier): UserInterface`
`35`	`37`	`{`
`36`		`- return $this->inner->loadUserByIdentifier($userIdentifier);`
	`38`	`+ return $this->changeUser($this->inner->loadUserByIdentifier($userIdentifier));`
`37`	`39`	`}`
`38`	`40`
`39`	`41`	`public function refreshUser(UserInterface $user)`
`40`	`42`	`{`
`41`		`- $user = $this->inner->refreshUser($user);`
`42`		`-`
`43`		`- $alterUser = \Closure::bind(function (InMemoryUser $user) { $user->password = 'foo'; }, null, class_exists(User::class) ? User::class : InMemoryUser::class);`
`44`		`- $alterUser($user);`
`45`		`-`
`46`		`- return $user;`
	`43`	`+ return $this->changeUser($this->inner->refreshUser($user));`
`47`	`44`	`}`
`48`	`45`
`49`	`46`	`public function supportsClass($class)`
`50`	`47`	`{`
`51`	`48`	`return $this->inner->supportsClass($class);`
`52`	`49`	`}`
	`50`	`+`
	`51`	`+ private function changeUser(UserInterface $user): UserInterface`
	`52`	`+ {`
	`53`	`+ if (self::$changePassword) {`
	`54`	`+ $alterUser = \Closure::bind(function (InMemoryUser $user) { $user->password = 'changed!'; }, null, class_exists(User::class) ? User::class : InMemoryUser::class);`
	`55`	`+ $alterUser($user);`
	`56`	`+ }`
	`57`	`+`
	`58`	`+ return $user;`
	`59`	`+ }`
`53`	`60`	`}`