Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 643e29a

Browse filesBrowse files
chalasrchalasr
committed
bug #41897 [Security] fix #41891 Save hashed tokenValue in RememberMe cookie (qurben)
This PR was merged into the 5.3 branch. Discussion ---------- [Security] fix #41891 Save hashed tokenValue in RememberMe cookie | Q | A | ------------- | --- | Branch? | 5.3 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | Fix #41891 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead --> | License | MIT The hashed tokenValue is expected in the RememberMe cookie. This was not the case when this branch was executed. <!-- Replace this notice by a short README for your feature/bugfix. This will help people understand your PR and can be used as a start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Never break backward compatibility (see https://symfony.com/bc). - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too.) - Features and deprecations must be submitted against branch 5.x. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry --> Commits ------- 9ccaa93 [Security] fix #41891 Save hashed tokenValue in RememberMe cookie
2 parents 8713652 + 9ccaa93 commit 643e29a
Copy full SHA for 643e29a

File tree

1 file changed

+3
-4
lines changed
Filter options

1 file changed

+3
-4
lines changed

‎src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
+3-4Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -89,13 +89,12 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
8989
// if a token was regenerated less than a minute ago, there is no need to regenerate it
9090
// if multiple concurrent requests reauthenticate a user we do not want to update the token several times
9191
if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
92-
$tokenValue = base64_encode(random_bytes(64));
93-
$tokenValueHash = $this->generateHash($tokenValue);
92+
$tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
9493
$tokenLastUsed = new \DateTime();
9594
if ($this->tokenVerifier) {
96-
$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValueHash, $tokenLastUsed);
95+
$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
9796
}
98-
$this->tokenProvider->updateToken($series, $tokenValueHash, $tokenLastUsed);
97+
$this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
9998
}
10099

101100
$this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.