REMEMBERME cookie sent to Sentry

[kgilden]

Hey,

Currently the cookie used to store a "remember-me" token is sent to Sentry. Knowing this value lets an adversary impersonate a user. Perhaps this should be sent as filtered out-of-the-box just like PHPSESSID is filtered.

Note that simply filtering the default REMEMBERME cookie does not cut it. The name can be configured (http://symfony.com/doc/current/security/remember_me.html). Best option IMO is to use a compiler pass and grab it from a certain service definition argument. In the compiler pass we would have to figure the "remember-me" service id (it's dynamic I think), find the service and then infer the cookie name from the 3-rd "options" argument. The relevant part in Symfony can be found here.

Cheers,
Kristen

[Jean85]

Since the name of the cookie is part of the Symfony config, it can be easily retrieved from the config as the security.firewalls.*.remember_me.name parameter.

Good to know, are you able to provide a PR?

[kgilden]

Yup, in a week or so.

[Jean85]

Hi @kgilden, are you still available to provide a PR for this issue? I would like to solve this issue before the 1.0 release.

[kgilden]

@Jean85 sorry, I'm afraid I don't have the time even though I promised I'd do it initially :/

[Jean85]

Don't worry, I just wanted to know to avoid doing the work twice!

[Jean85]

This is stale. I don't want this to block the new stable release, hence I'm removing this from the milestone.

[Jean85]

Closing this as stale; also, v3 doesn't send it by default, you need to enable the "send PII" option in the PHP SDK.