symfony
diff --git a/‎src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
Lines changed: 13 additions & 1 deletion b/‎src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
Lines changed: 13 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php
Lines changed: 3 additions & 2 deletions b/‎src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php
Lines changed: 3 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/Tests/Firewall/RememberMeListenerTest.php
Lines changed: 63 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Tests/Firewall/RememberMeListenerTest.php
Lines changed: 63 additions & 0 deletions
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
 
+use Symfony\Component\Security\Core\Util\StringUtils;
+
 @trigger_error('The '.__NAMESPACE__.'\DefaultCsrfProvider is deprecated since version 2.4 and will be removed in version 3.0. Use the \Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage class instead.', E_USER_DEPRECATED);
 
 /**
@@ -61,7 +63,17 @@ public function generateCsrfToken($intention)
      */
     public function isCsrfTokenValid($intention, $token)
     {
-        return $token === $this->generateCsrfToken($intention);
+        $expectedToken = $this->generateCsrfToken($intention);
+
+        if (function_exists('hash_equals')) {
+            return hash_equals($expectedToken, $token);
+        }
+
+        if (class_exists('Symfony\Component\Security\Core\Util\StringUtils')) {
+            return StringUtils::equals($expectedToken, $token);
+        }
+
+        return $token === $expectedToken;
     }
 
     /**
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Http\Firewall;
 
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Core\Util\StringUtils;
 use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
@@ -99,7 +100,7 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        if ($serverDigestMd5 !== $digestAuth->getResponse()) {
+        if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) {
             if (null !== $this->logger) {
                 $this->logger->debug('Unexpected response from the DigestAuth received; is the header returning a clear text passwords?', array('expected' => $serverDigestMd5, 'received' => $digestAuth->getResponse()));
             }
 
@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Http\SecurityEvents;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
 
 /**
  * RememberMeListener implements authentication capabilities via a cookie.
@@ -56,7 +57,7 @@ public function __construct(TokenStorageInterface $tokenStorage, RememberMeServi
         $this->logger = $logger;
         $this->dispatcher = $dispatcher;
         $this->catchExceptions = $catchExceptions;
-        $this->sessionStrategy = $sessionStrategy;
+        $this->sessionStrategy = null === $sessionStrategy ? new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE) : $sessionStrategy;
     }
 
     /**
@@ -77,7 +78,7 @@ public function handle(GetResponseEvent $event)
 
         try {
             $token = $this->authenticationManager->authenticate($token);
-            if (null !== $this->sessionStrategy && $request->hasSession() && $request->getSession()->isStarted()) {
+            if ($request->hasSession() && $request->getSession()->isStarted()) {
                 $this->sessionStrategy->onAuthentication($request, $token);
             }
             $this->tokenStorage->setToken($token);
 
@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Util\SecureRandomInterface;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\Util\StringUtils;
 
 /**
  * Concrete implementation of the RememberMeServicesInterface which needs
@@ -90,7 +91,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
         list($series, $tokenValue) = $cookieParts;
         $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
 
-        if ($persistentToken->getTokenValue() !== $tokenValue) {
+        if (!StringUtils::equals($persistentToken->getTokenValue(), $tokenValue)) {
             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
         }
 
 
@@ -246,6 +246,69 @@ public function testSessionStrategy()
         $listener->handle($event);
     }
 
+    public function testSessionIsMigratedByDefault()
+    {
+        list($listener, $tokenStorage, $service, $manager, , $dispatcher, $sessionStrategy) = $this->getListener(false, true, false);
+
+        $tokenStorage
+            ->expects($this->once())
+            ->method('getToken')
+            ->will($this->returnValue(null))
+        ;
+
+        $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
+        $service
+            ->expects($this->once())
+            ->method('autoLogin')
+            ->will($this->returnValue($token))
+        ;
+
+        $tokenStorage
+            ->expects($this->once())
+            ->method('setToken')
+            ->with($this->equalTo($token))
+        ;
+
+        $manager
+            ->expects($this->once())
+            ->method('authenticate')
+            ->will($this->returnValue($token))
+        ;
+
+        $session = $this->getMock('\Symfony\Component\HttpFoundation\Session\SessionInterface');
+        $session
+            ->expects($this->once())
+            ->method('isStarted')
+            ->will($this->returnValue(true))
+        ;
+        $session
+            ->expects($this->once())
+            ->method('migrate')
+        ;
+
+        $request = $this->getMock('\Symfony\Component\HttpFoundation\Request');
+        $request
+            ->expects($this->any())
+            ->method('hasSession')
+            ->will($this->returnValue(true))
+        ;
+
+        $request
+            ->expects($this->any())
+            ->method('getSession')
+            ->will($this->returnValue($session))
+        ;
+
+        $event = $this->getGetResponseEvent();
+        $event
+            ->expects($this->once())
+            ->method('getRequest')
+            ->will($this->returnValue($request))
+        ;
+
+        $listener->handle($event);
+    }
+
     public function testOnCoreSecurityInteractiveLoginEventIsDispatchedIfDispatcherIsPresent()
     {
         list($listener, $tokenStorage, $service, $manager, , $dispatcher) = $this->getListener(true);
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`namespace Symfony\Component\Security\Http\Firewall;`
`13`	`13`
`14`	`14`	`use Symfony\Component\Security\Core\User\UserProviderInterface;`
	`15`	`+use Symfony\Component\Security\Core\Util\StringUtils;`
`15`	`16`	`use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;`
`16`	`17`	`use Psr\Log\LoggerInterface;`
`17`	`18`	`use Symfony\Component\HttpKernel\Event\GetResponseEvent;`
`@@ -99,7 +100,7 @@ public function handle(GetResponseEvent $event)`
`99`	`100`	`return;`
`100`	`101`	`}`
`101`	`102`
`102`		`- if ($serverDigestMd5 !== $digestAuth->getResponse()) {`
	`103`	`+ if (!StringUtils::equals($serverDigestMd5, $digestAuth->getResponse())) {`
`103`	`104`	`if (null !== $this->logger) {`
`104`	`105`	`$this->logger->debug('Unexpected response from the DigestAuth received; is the header returning a clear text passwords?', array('expected' => $serverDigestMd5, 'received' => $digestAuth->getResponse()));`
`105`	`106`	`}`