Closed
Description
Symfony version(s) affected: 5.3.2 (with symfony/security-http 5.3.x-dev 81c183fd1527a2d09bd3b5c69bca3fc24ce18527 for another fix in rememberme)
Description
The rememberme cookie returned when a rememberme session is renewed is not properly formatted. This causes it to be rejected when it is used again.
How to reproduce
- Given a setup with rememberme enabled
- Login with remember me
- Remove session cookie
- Refresh
- Remove session cookie again
- There is no new session
Possible Solution
I pulled two cookies from my installation (a development version, see Additional context), the first one is the original REMEMBERME cookie and the second one is the one received after refreshing. In the first one the last value is base64 encoded and in the second one it isn't.
(originally I had these two mixed up)
Additional context
REMEMBERME=Q3NyRGVsZnRcZW50aXR5XHNlY3VyaXR5XEFjY291bnQ6TVRNME5RPT06MTYyNjEyNjUzOTpVUzNCS2lhNUpsV2hpT2hPSmZ2UWExWGxSNmRNMWJtR2NHRThuZzhQalRsYWFuMDNhM0ZISU9hOXVVYmo5VkVlbWptemVMTlU1cXA4SGVLSFYxVng0UT09Ojc0OWRjN2VkZTU3MzFhODRiZmVmMzIxYzQyZjgxNDI0ZDY2MDAzNTRkNTljMzI2MDQyNTA1ZGY2OTA4NTUyMTA%3D
url & base64 decoded: CsrDelft\entity\security\Account:MTM0NQ==:1626126539:US3BKia5JlWhiOhOJfvQa1XlR6dM1bmGcGE8ng8PjTlaan03a3FHIOa9uUbj9VEemjmzeLNU5qp8HeKHV1Vx4Q==:749dc7ede5731a84bfef321c42f81424d6600354d59c326042505df690855210
REMEMBERME=Q3NyRGVsZnRcZW50aXR5XHNlY3VyaXR5XEFjY291bnQ6TVRNME5RPT06MTYyNjEyNjUzOTpVUzNCS2lhNUpsV2hpT2hPSmZ2UWExWGxSNmRNMWJtR2NHRThuZzhQalRsYWFuMDNhM0ZISU9hOXVVYmo5VkVlbWptemVMTlU1cXA4SGVLSFYxVng0UT09OnFVWHRIVWJHR01QQXBwbVdmSkFGWjRlS1QyRElOY0VLRHhvaDFHM2JmVUxtMmhGSExDdVcwT1dGd0FrcExUdlloTzFLaGora2dadmltQ01XL0xPYzB3PT0%3D
url & base64 decoded: CsrDelft\entity\security\Account:MTM0NQ==:1626126539:US3BKia5JlWhiOhOJfvQa1XlR6dM1bmGcGE8ng8PjTlaan03a3FHIOa9uUbj9VEemjmzeLNU5qp8HeKHV1Vx4Q==:qUXtHUbGGMPAppmWfJAFZ4eKT2DINcEKDxoh1G3bfULm2hFHLCuW0OWFwAkpLTvYhO1Khj+kgZvimCMW/LOc0w==