Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit ca203cf

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
[Security] Tell about erasing credentials when the user is stored in the session
1 parent c4e1eaa commit ca203cf
Copy full SHA for ca203cf

File tree

2 files changed

+31
-9
lines changed
Filter options

2 files changed

+31
-9
lines changed

‎reference/configuration/security.rst

Copy file name to clipboardExpand all lines: reference/configuration/security.rst
+5Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,11 @@ erase_credentials
5353
If ``true``, the ``eraseCredentials()`` method of the user object is called
5454
after authentication.
5555

56+
.. deprecated:: 7.3
57+
58+
Since Symfony 7.3, ``eraseCredentials()`` methods are deprecated and are
59+
not called if they have the ``#[\Deprecated]`` attribute.
60+
5661
hide_user_not_found
5762
-------------------
5863

‎security.rst

Copy file name to clipboardExpand all lines: security.rst
+26-9Lines changed: 26 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -193,14 +193,7 @@ from the `MakerBundle`_:
193193
return $this;
194194
}
195195
196-
/**
197-
* @see UserInterface
198-
*/
199-
public function eraseCredentials(): void
200-
{
201-
// If you store any temporary, sensitive data on the user, clear it here
202-
// $this->plainPassword = null;
203-
}
196+
// [...]
204197
}
205198
206199
.. tip::
@@ -2786,7 +2779,31 @@ object) are "compared" to see if they are "equal". By default, the core
27862779
your user will be logged out. This is a security measure to make sure that malicious
27872780
users can be de-authenticated if core user data changes.
27882781

2789-
However, in some cases, this process can cause unexpected authentication problems.
2782+
Note that storing the (plain or hashed) password in the session storage can be seen
2783+
as a security risk. In order to address this risk, the ``__serialize()`` magic method
2784+
can be implemented on the user class to filter out the password before storing the
2785+
serialized user object in the session.
2786+
Two strategies are supported while serializing:
2787+
2788+
#. Removing the password entirely. In this case, ``getPassword()`` will return ``null``
2789+
after unserialization and Symfony will refresh the user without checking the
2790+
password. Use this strategy if you store plaintext passwords (not recommended.)
2791+
#. Hashing the password using the ``crc32c`` algorithm. In this case Symfony will
2792+
compare the password of the refreshed user after crc32c-hashing it. This is a good
2793+
strategy if you use hashed passwords since it allows invalidating concurrent
2794+
sessions when a password changes without storing the password hash in the session.
2795+
2796+
Here is an example of how to implement this, assuming the password is found in a
2797+
private property named ``password``::
2798+
2799+
public function __serialize(): array
2800+
{
2801+
$data = (array) $this;
2802+
$data["\0".self::class."\0password"] = hash('crc32c', $this->password);
2803+
2804+
return $data;
2805+
}
2806+
27902807
If you're having problems authenticating, it could be that you *are* authenticating
27912808
successfully, but you immediately lose authentication after the first redirect.
27922809

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.