wucdbm
diff --git a/‎src/Symfony/Component/Security/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/Security/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
Lines changed: 20 additions & 3 deletions b/‎src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
Lines changed: 20 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentTokenBasedRememberMeServicesTest.php
Lines changed: 14 additions & 4 deletions b/‎src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentTokenBasedRememberMeServicesTest.php
Lines changed: 14 additions & 4 deletions
@@ -6,6 +6,7 @@ CHANGELOG
 
  * Added access decision strategy to override access decisions by voter service priority
  * Added `IS_ANONYMOUS`, `IS_REMEMBERED`, `IS_IMPERSONATOR`
+ * Hash the persistent RememberMe token value in database.
 
 5.0.0
 -----
 
@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
+use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentTokenInterface;
 use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
@@ -29,6 +30,8 @@
  */
 class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
 {
+    private const HASHED_TOKEN_PREFIX = 'sha256_';
+
     /** @var TokenProviderInterface */
     private $tokenProvider;
 
@@ -66,7 +69,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
         list($series, $tokenValue) = $cookieParts;
         $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
 
-        if (!hash_equals($persistentToken->getTokenValue(), $tokenValue)) {
+        if (!$this->isTokenValueValid($persistentToken, $tokenValue)) {
             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
         }
 
@@ -75,7 +78,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
         }
 
         $tokenValue = base64_encode(random_bytes(64));
-        $this->tokenProvider->updateToken($series, $tokenValue, new \DateTime());
+        $this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
         $request->attributes->set(self::COOKIE_ATTR_NAME,
             new Cookie(
                 $this->options['name'],
@@ -106,7 +109,7 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
                 \get_class($user = $token->getUser()),
                 $user->getUsername(),
                 $series,
-                $tokenValue,
+                $this->generateHash($tokenValue),
                 new \DateTime()
             )
         );
@@ -125,4 +128,18 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
             )
         );
     }
+
+    private function generateHash(string $tokenValue): string
+    {
+        return self::HASHED_TOKEN_PREFIX.hash_hmac('sha256', $tokenValue, $this->getSecret());
+    }
+
+    private function isTokenValueValid(PersistentTokenInterface $persistentToken, string $tokenValue): bool
+    {
+        if (0 === strpos($persistentToken->getTokenValue(), self::HASHED_TOKEN_PREFIX)) {
+            return hash_equals($persistentToken->getTokenValue(), $this->generateHash($tokenValue));
+        }
+
+        return hash_equals($persistentToken->getTokenValue(), $tokenValue);
+    }
 }
@@ -85,7 +85,7 @@ public function testAutoLoginReturnsNullOnNonExistentUser()
         $tokenProvider
             ->expects($this->once())
             ->method('loadTokenBySeries')
-            ->willReturn(new PersistentToken('fooclass', 'fooname', 'fooseries', 'foovalue', new \DateTime()))
+            ->willReturn(new PersistentToken('fooclass', 'fooname', 'fooseries', $this->generateHash('foovalue'), new \DateTime()))
         ;
         $service->setTokenProvider($tokenProvider);
 
@@ -142,15 +142,19 @@ public function testAutoLoginDoesNotAcceptAnExpiredCookie()
             ->expects($this->once())
             ->method('loadTokenBySeries')
             ->with($this->equalTo('fooseries'))
-            ->willReturn(new PersistentToken('fooclass', 'username', 'fooseries', 'foovalue', new \DateTime('yesterday')))
+            ->willReturn(new PersistentToken('fooclass', 'username', 'fooseries', $this->generateHash('foovalue'), new \DateTime('yesterday')))
         ;
         $service->setTokenProvider($tokenProvider);
 
         $this->assertNull($service->autoLogin($request));
         $this->assertTrue($request->attributes->has(RememberMeServicesInterface::COOKIE_ATTR_NAME));
     }
 
-    public function testAutoLogin()
+    /**
+     * @testWith [true]
+     *           [false]
+     */
+    public function testAutoLogin(bool $hashTokenValue)
     {
         $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();
         $user
@@ -172,11 +176,12 @@ public function testAutoLogin()
         $request->cookies->set('foo', $this->encodeCookie(['fooseries', 'foovalue']));
 
         $tokenProvider = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface')->getMock();
+        $tokenValue = $hashTokenValue ? $this->generateHash('foovalue') : 'foovalue';
         $tokenProvider
             ->expects($this->once())
             ->method('loadTokenBySeries')
             ->with($this->equalTo('fooseries'))
-            ->willReturn(new PersistentToken('fooclass', 'foouser', 'fooseries', 'foovalue', new \DateTime()))
+            ->willReturn(new PersistentToken('fooclass', 'foouser', 'fooseries', $tokenValue, new \DateTime()))
         ;
         $service->setTokenProvider($tokenProvider);
 
@@ -338,4 +343,9 @@ protected function getProvider()
 
         return $provider;
     }
+
+    protected function generateHash(string $tokenValue): string
+    {
+        return 'sha256_'.hash_hmac('sha256', $tokenValue, $this->getService()->getSecret());
+    }
 }