8000 4.3.3 - EquatableInterface does not take effect if using the "remember_me" feature · Issue #33109 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

4.3.3 - EquatableInterface does not take effect if using the "remember_me" feature #33109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zacharyzh opened this issue Aug 10, 2019 · 6 comments
Closed

4.3.3 - EquatableInterface does not take effect if using the "remember_me" feature #33109

zacharyzh opened this issue Aug 10, 2019 · 6 comments
Labels
Bug Security Status: Needs Review

Comments

@zacharyzh
Copy link
zacharyzh commented Aug 10, 2019
edited
Loading

Symfony version(s) affected:

4.3.3

Description

The session token was deauthenticated if user data changed. But after that, the RememberMeToken will be accepted and restore the session token.

This looks like the RememberMeToken never trigger the user data comparison before to restore the session token.

Log:

[2019-08-11 01:37:15] security.DEBUG: Cannot refresh token because user has changed. { ... }
[2019-08-11 01:37:15] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2019-08-11 01:37:15] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"main","authenticators":1} []
[2019-08-11 01:37:15] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"main","authenticator":"App\\Security\\MyUserAuthenticator"} []
[2019-08-11 01:37:15] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"main","authenticator":"App\\Security\\MyUserAuthenticator"}
[2019-08-11 01:37:15] security.DEBUG: Remember-me cookie detected. [] []
...
[2019-08-11 01:37:15] security.INFO: Remember-me cookie accepted. [] []
[2019-08-11 01:37:15] security.DEBUG: Populated the token storage with a remember-me token. [] []
[2019-08-11 01:37:16] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []

How to reproduce

Configure the "remember_me" feature in security.yaml

firewalls:
    main:
        remember_me:
            secret: "%kernel.secret%"
            lifetime: 604800

Implements the EquatableInterface

    public function isEqualTo(UserInterface $user): bool
    {
        if (null !== $this->disabledAt) {
            return false;
        }
        ...
        return true;
    }
@zacharyzh
Copy link
Author

Or, the RememberMeToken does not destroyed after the user data comparison failure.

@linaori
Copy link
Contributor
linaori commented Aug 10, 2019

I believe #31172 should fix this

@zacharyzh
Copy link
Author

And the UserChecker does not work on the session token, is that right ?

@linaori
Copy link
Contributor
linaori commented Aug 10, 2019

The UserChecker is only executed in the initial authentication process

@zacharyzh
Copy link
Author

Thanks for your Explanation.

@chalasr
Copy link
Member
chalasr commented Aug 11, 2019

Closing as duplicate of #26379. Thanks for the report @zacharyzh

@chalasr chalasr closed this as completed Aug 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@javiereguiluz @linaori @zacharyzh @chalasr @carsonbot
0