8000 bug #41897 [Security] fix #41891 Save hashed tokenValue in RememberMe… · symfony/symfony@643e29a · GitHub
[go: up one dir, main page]
Skip to content

Commit 643e29a

Browse files
chalasrchalasr
committed
bug #41897 [Security] fix #41891 Save hashed tokenValue in RememberMe cookie (qurben)
This PR was merged into the 5.3 branch. Discussion ---------- [Security] fix #41891 Save hashed tokenValue in RememberMe cookie | Q | A | ------------- | --- | Branch? | 5.3 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | Fix #41891 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead --> | License | MIT The hashed tokenValue is expected in the RememberMe cookie. This was not the case when this branch was executed. <!-- Replace this notice by a short README for your feature/bugfix. This will help people understand your PR and can be used as a start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Never break backward compatibility (see https://symfony.com/bc). - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too.) - Features and deprecations must be submitted against branch 5.x. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry --> Commits ------- 9ccaa93 [Security] fix #41891 Save hashed tokenValue in RememberMe cookie
2 parents 8713652 + 9ccaa93 commit 643e29a

File tree

1 file changed

+3
-4
lines changed

1 file changed

+3
-4
lines changed

src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -89,13 +89,12 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
8989
// if a token was regenerated less than a minute ago, there is no need to regenerate it
9090
// if multiple concurrent requests reauthenticate a user we do not want to update the token several times
9191
if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
92-
$tokenValue = base64_encode(random_bytes(64));
93-
$tokenValueHash = $this->generateHash($tokenValue);
92+
$tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
9493
$tokenLastUsed = new \DateTime();
9594
if ($this->tokenVerifier) {
96-
$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValueHash, $tokenLastUsed);
95+
$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
9796
}
98-
$this->tokenProvider->updateToken($series, $tokenValueHash, $tokenLastUsed);
97+
$this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
9998
}
10099

101100
$this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));

0 commit comments

Comments
 (0)
0