Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Add expiration based persistent rememberme token #483
Warning: This is currently POC and completely untested!
This is our current take at fixing #400
As suggested by @nicolas-grekas in symfony/symfony#31078 (comment), we need to add a short expiration time to the persistent rememberme tokens. This also fixes concurrent requests mentioned in symfony/symfony#18384.
On the second parallel request, there will be two tokens in the database (thanks to table locking). If the expiring one is still valid, it will be accepted. Instead of generating another new one, it will however send the already created new one back to the client.
As long as there is one browser request (non-ESI) within that minute, the new rememberme cookie as well as the session will correctly make it to the client. This will be accomplised through:
I have also implemented symfony/symfony#27910 and now hashed the token value instead of the series. Both ways would work. Changing this will break existing rememberme cookies in Contao, but as everything is broken atm that should be fine.
Theoretically, and it would be the best place imho. Unfortunately, the
2 times, most recently
Jun 5, 2019
Jun 6, 2019
I have update the implementation to use the ORM entity. While doing so, I also found an implementation issue that I was luckily able to solve: