Refreshed RememberMe cookie contains invalid data #41891

qurben · 2021-06-28T22:03:36Z

Symfony version(s) affected: 5.3.2 (with symfony/security-http 5.3.x-dev 81c183fd1527a2d09bd3b5c69bca3fc24ce18527 for another fix in rememberme)

Description

The rememberme cookie returned when a rememberme session is renewed is not properly formatted. This causes it to be rejected when it is used again.

How to reproduce

Given a setup with rememberme enabled
Login with remember me
Remove session cookie
Refresh
Remove session cookie again
There is no new session

Possible Solution

I pulled two cookies from my installation (a development version, see Additional context), the first one is the original REMEMBERME cookie and the second one is the one received after refreshing. In the first one the last value is base64 encoded and in the second one it isn't.

(originally I had these two mixed up)

Additional context

REMEMBERME=Q3NyRGVsZnRcZW50aXR5XHNlY3VyaXR5XEFjY291bnQ6TVRNME5RPT06MTYyNjEyNjUzOTpVUzNCS2lhNUpsV2hpT2hPSmZ2UWExWGxSNmRNMWJtR2NHRThuZzhQalRsYWFuMDNhM0ZISU9hOXVVYmo5VkVlbWptemVMTlU1cXA4SGVLSFYxVng0UT09Ojc0OWRjN2VkZTU3MzFhODRiZmVmMzIxYzQyZjgxNDI0ZDY2MDAzNTRkNTljMzI2MDQyNTA1ZGY2OTA4NTUyMTA%3D
url & base64 decoded: CsrDelft\entity\security\Account:MTM0NQ==:1626126539:US3BKia5JlWhiOhOJfvQa1XlR6dM1bmGcGE8ng8PjTlaan03a3FHIOa9uUbj9VEemjmzeLNU5qp8HeKHV1Vx4Q==:749dc7ede5731a84bfef321c42f81424d6600354d59c326042505df690855210

REMEMBERME=Q3NyRGVsZnRcZW50aXR5XHNlY3VyaXR5XEFjY291bnQ6TVRNME5RPT06MTYyNjEyNjUzOTpVUzNCS2lhNUpsV2hpT2hPSmZ2UWExWGxSNmRNMWJtR2NHRThuZzhQalRsYWFuMDNhM0ZISU9hOXVVYmo5VkVlbWptemVMTlU1cXA4SGVLSFYxVng0UT09OnFVWHRIVWJHR01QQXBwbVdmSkFGWjRlS1QyRElOY0VLRHhvaDFHM2JmVUxtMmhGSExDdVcwT1dGd0FrcExUdlloTzFLaGora2dadmltQ01XL0xPYzB3PT0%3D
url & base64 decoded: CsrDelft\entity\security\Account:MTM0NQ==:1626126539:US3BKia5JlWhiOhOJfvQa1XlR6dM1bmGcGE8ng8PjTlaan03a3FHIOa9uUbj9VEemjmzeLNU5qp8HeKHV1Vx4Q==:qUXtHUbGGMPAppmWfJAFZ4eKT2DINcEKDxoh1G3bfULm2hFHLCuW0OWFwAkpLTvYhO1Khj+kgZvimCMW/LOc0w==

The text was updated successfully, but these errors were encountered:

jderusse · 2021-06-29T05:50:57Z

Could you check if #41741 fixes your issue?

qurben · 2021-06-29T08:46:37Z

With #41741 this issue is still there.

qurben · 2021-06-29T08:51:05Z

It seems that in \Symfony\Component\Security\Http\RememberMe\PersistentRememberMeHandler::processRememberMe the $tokenValue variable is normally not base64 encoded, but when the timestamp block is triggered it is. But it might be that it should always be base64 encoded, but that this goes wrong somewhere else.

(or this might not be relevant at all)

qurben · 2021-06-29T09:47:34Z

I think I found the culprit, in PersistentRememberMeHandler the tokenValue is set on line 92, but this should be the hashed version of the tokenValue as is done in the createRememberMeCookie method. This creates an invalid cookie.

symfony/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Lines 91 to 101 in 1eb5b35

    
           if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) { 
        
               $tokenValue = base64_encode(random_bytes(64)); 
        
               $tokenValueHash = $this->generateHash($tokenValue); 
        
               $tokenLastUsed = new \DateTime(); 
        
               if ($this->tokenVerifier) { 
        
                   $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValueHash, $tokenLastUsed); 
        
               } 
        
               $this->tokenProvider->updateToken($series, $tokenValueHash, $tokenLastUsed); 
        
           } 
        
           $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));

symfony/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Lines 56 to 58 in 1eb5b35

    
           $series = base64_encode(random_bytes(64)); 
        
           $tokenValue = $this->generateHash(base64_encode(random_bytes(64))); 
        
           $token = new PersistentToken(\get_class($user), method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(), $series, $tokenValue, new \DateTime());

qurben · 2021-06-29T09:53:28Z

I can provide a patch for this.

… cookie (qurben) This PR was merged into the 5.3 branch. Discussion ---------- [Security] fix #41891 Save hashed tokenValue in RememberMe cookie | Q | A | ------------- | --- | Branch? | 5.3 | Bug fix? | yes | New feature? | no  | Deprecations? | no  | Tickets | Fix #41891  | License | MIT The hashed tokenValue is expected in the RememberMe cookie. This was not the case when this branch was executed.  Commits ------- 9ccaa93 [Security] fix #41891 Save hashed tokenValue in RememberMe cookie

qurben added the Bug label Jun 28, 2021

carsonbot added the Status: Needs Review label Jun 28, 2021

xabbuh added Security Status: Waiting feedback labels Jun 29, 2021

chalasr removed the Status: Waiting feedback label Jun 29, 2021

qurben mentioned this issue Jun 29, 2021

[Security] fix #41891 Save hashed tokenValue in RememberMe cookie #41897

Merged

chalasr mentioned this issue Jul 16, 2021

[Security] Fix persistent remember me being only usable once #42162

Closed

chalasr pushed a commit that referenced this issue Jul 16, 2021

[Security] fix #41891 Save hashed tokenValue in RememberMe cookie

9ccaa93

chalasr closed this as completed Jul 16, 2021

fabpot mentioned this issue Jul 26, 2021

Release v5.3.4 #42267

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Refreshed RememberMe cookie contains invalid data #41891

Refreshed RememberMe cookie contains invalid data #41891

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Refreshed RememberMe cookie contains invalid data #41891

Refreshed RememberMe cookie contains invalid data #41891

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!