bug #24536 [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails (kbond)

fabpot · fabpot · commit 4ebd60f7f995 · 2017-10-13T06:42:43.000-07:00
This PR was merged into the 2.7 branch. Discussion ---------- [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #24525 | License | MIT | Doc PR | - I think this is a security hole - a user can remain logged in with a remember me cookie even though they can no longer pass `UserCheckInterface::checkPostAuth()` (could be disabled). This is a small BC break but shouldn't be an issue as I think it is a bug. I don't think this requires a BC layer but if so, I can add. Commits ------- fe190b6 reject remember-me token if user check fails
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php
@@ -49,6 +49,7 @@ public function authenticate(TokenInterface $token)
 
         $user = $token->getUser();
         $this->userChecker->checkPreAuth($user);
+        $this->userChecker->checkPostAuth($user);
 
         $authenticatedToken = new RememberMeToken($user, $this->providerKey, $this->key);
         $authenticatedToken->setAttributes($token->getAttributes());
