[Security] Remember me secure option not working as expected with "auto" setting #40471
Labels
Comments
fliespl
added a commit
to fliespl/symfony
that referenced
this issue
Mar 21, 2021
nicolas-grekas
added a commit
that referenced
this issue
Mar 23, 2021
…ookie security (fliespl) This PR was merged into the 4.4 branch. Discussion ---------- [Security] Handle properly 'auto' option for remember me cookie security | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #40471 | License | MIT | Doc PR | n/a Manually setting remember_me cookie secure as auto is still is being set as secure one even if used over http. This PR fixes this behaviour by converting auto to null prior setting it up for service. Commits ------- 2bcf69c [Security] Handle properly 'auto' option for remember me cookie security
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Symfony version(s) affected: 4.4 / 5.2
Description
Manually setting remember_me cookie
secureas auto is still is being set as secure one even if used over http.Problem is that value 'auto' is being set on
\Symfony\Component\Security\Http\RememberMe\TokenBasedRememberMeServicesservice instead of converting to null (to get data from $request->isSecure() method).That causes a call to onLoginSuccess with
securebeing set asauto(string) and being treated as true in Cookie __constructor (which has typed bool conversion).On the other hand - configuration specifies that 'auto' value should be fine.
$builder->enumNode($name)->values([true, false, 'auto'])->defaultValue('auto' === $value ? null : $value);The text was updated successfully, but these errors were encountered: