[Security] fix #41891 Save hashed tokenValue in RememberMe cookie

qurben · qurben · commit 9ccaa930f354 · 2021-06-29T11:55:38.000+02:00
diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
@@ -89,13 +89,12 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
         // if a token was regenerated less than a minute ago, there is no need to regenerate it
         // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
         if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
-            $tokenValue = base64_encode(random_bytes(64));
-            $tokenValueHash = $this->generateHash($tokenValue);
+            $tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
             $tokenLastUsed = new \DateTime();
             if ($this->tokenVerifier) {
-                $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValueHash, $tokenLastUsed);
+                $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
             }
-            $this->tokenProvider->updateToken($series, $tokenValueHash, $tokenLastUsed);
+            $this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
         }
 
         $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
