bug #41897 [Security] fix #41891 Save hashed tokenValue in RememberMe cookie (qurben)

chalasr · chalasr · commit 643e29a1885b · 2021-07-16T23:55:51.000+02:00
This PR was merged into the 5.3 branch. Discussion ---------- [Security] fix #41891 Save hashed tokenValue in RememberMe cookie | Q | A | ------------- | --- | Branch? | 5.3 | Bug fix? | yes | New feature? | no  | Deprecations? | no  | Tickets | Fix #41891  | License | MIT The hashed tokenValue is expected in the RememberMe cookie. This was not the case when this branch was executed.  Commits ------- 9ccaa93 [Security] fix #41891 Save hashed tokenValue in RememberMe cookie
diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
@@ -89,13 +89,12 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
         // if a token was regenerated less than a minute ago, there is no need to regenerate it
         // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
         if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
-            $tokenValue = base64_encode(random_bytes(64));
-            $tokenValueHash = $this->generateHash($tokenValue);
+            $tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
             $tokenLastUsed = new \DateTime();
             if ($this->tokenVerifier) {
-                $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValueHash, $tokenLastUsed);
+                $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
             }
-            $this->tokenProvider->updateToken($series, $tokenValueHash, $tokenLastUsed);
+            $this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
         }
 
         $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
