Remember me functionality is broken

Symfony version(s) affected: 5.1.2

Description
After upgrading to Symfony 5.1.2 Remember me functionality got broken. It always replies with "This token was already used. The account is possibly compromised."

Turns out after successful login, remember me token got saved incorrectly. The onLoginSuccess function got called and every parameter was correct in this part:

symfony/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php

Lines 107 to 115 in 0ab5eed

    
           $this->tokenProvider->createNewToken( 
        
               new PersistentToken( 
        
                   \get_class($user = $token->getUser()), 
        
                   $user->getUsername(), 
        
                   $series, 
        
                   $this->generateHash($tokenValue), 
        
                   new \DateTime() 
        
               ) 
        
           );

Upon persisting $this->generateHash($tokenValue), to a database (Postgresql) however, this value was padded by spaces up till its supposed size in database: 88 characters. Later, upon comparing these values:

symfony/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php

Lines 139 to 141 in 0ab5eed

    
           if (0 === strpos($persistentToken->getTokenValue(), self::HASHED_TOKEN_PREFIX)) { 
        
               return hash_equals($persistentToken->getTokenValue(), $this->generateHash($tokenValue)); 
        
           }

hash_equals decides, that they are not.

Possible Solution

Identify, why was this value persisted with extra spaces. I could track this issue up to doctrine-bridge.
Remove extra spaces received from database. (If rtrim ($persistentToken->getTokenValue()) is a suitable fix, let me know, I'll do a PR)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	$this->tokenProvider->createNewToken(
	new PersistentToken(
	\get_class($user = $token->getUser()),
	$user->getUsername(),
	$series,
	$this->generateHash($tokenValue),
	new \DateTime()
	)
	);

	if (0 === strpos($persistentToken->getTokenValue(), self::HASHED_TOKEN_PREFIX)) {
	return hash_equals($persistentToken->getTokenValue(), $this->generateHash($tokenValue));
	}

Uh oh!

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions