Symfony version(s) affected: any (since 2.0)

Description
Symfony security supports two different types of rememberme cookies. Persistent rememberme tokens are stored in the database to prevent identity theft. They store a series (sort of like a username for your token) and the token (sort of your password). For each series/username, the token is changed on every successful rememberme login.

If someone get's access to a database dump for any reason, he can possibly manually add a rememberme cookie to his browser and be authenticated by Symfony automatically. To prevent such attach, it is recommended to hash the token value in the database (see How to Secure Long-Term Authentication article by Paragon IE).

This is currently not done in Symfony, and adding it would generally improve security.

How to reproduce
This is more of a theoretical issue in the security implementation, reproducing it would require manipulating your browser cookies.

Possible Solution
The PersistentTokenBasedRememberMeServices implementation should be adjusted to store hashed passwords and authenticate for them.

Additional context
I'm very much willing to create a PR for this if the Symfony security experts agree that things should be changed (and for which version). We also need to decide on whether all existing rememberme cookies will become invalid after this implementation or we should continue to support unencrypted database values (for until the user has logged in once and the token is updated).