Symfony version(s) affected: 5.1.5

Description

A firewall with lazy: true and remember me enabled will refresh the remember me token on every request, causing a CookieTheftException if multiple requests with the same remember_me cookie are sent.

Configuration must use PersistentTokenRememberMeServices

How to reproduce

https://github.com/qurben/symfony_issue_38206 If needed I can make a reproducer, but it is a bit involved as it also requires Doctrine or some database access.

Possible Solution

The remember me authenticator will already check the cookie and update it when supports is called. In a lazy configuration there is no token at this moment causing the remember em authenticator to check (and update) the cookie for each request.

It possibly should just check if the cookie exists, to give the ContextListener a chance to create a session and skip updating the cookie.