bug #24536 [Security] Reject remember-me token if UserCheckerInterfac…

…e::checkPostAuth() fails (kbond) This PR was merged into the 2.7 branch. Discussion ---------- [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #24525 | License | MIT | Doc PR | - I think this is a security hole - a user can remain logged in with a remember me cookie even though they can no longer pass `UserCheckInterface::checkPostAuth()` (could be disabled). This is a small BC break but shouldn't be an issue as I think it is a bug. I don't think this requires a BC layer but if so, I can add. Commits ------- fe190b6 reject remember-me token if user check fails
symfony · Oct 13, 2017 · 4ebd60f · 4ebd60f
2 parents 2059609 + fe190b6
commit 4ebd60f
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/...fony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php b/...fony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php
@@ -49,6 +49,7 @@ public function authenticate(TokenInterface $token)
 
         $user = $token->getUser();
         $this->userChecker->checkPreAuth($user);
+        $this->userChecker->checkPostAuth($user);
 
         $authenticatedToken = new RememberMeToken($user, $this->providerKey, $this->key);
         $authenticatedToken->setAttributes($token->getAttributes());