-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
REMEMBERME cookie sent to Sentry #43
Comments
Since the name of the cookie is part of the Symfony config, it can be easily retrieved from the config as the Good to know, are you able to provide a PR? |
Yup, in a week or so. |
Hi @kgilden, are you still available to provide a PR for this issue? I would like to solve this issue before the 1.0 release. |
@Jean85 sorry, I'm afraid I don't have the time even though I promised I'd do it initially :/ |
Don't worry, I just wanted to know to avoid doing the work twice! |
This is stale. I don't want this to block the new stable release, hence I'm removing this from the milestone. |
Closing this as stale; also, v3 doesn't send it by default, you need to enable the "send PII" option in the PHP SDK. |
Hey,
Currently the cookie used to store a "remember-me" token is sent to Sentry. Knowing this value lets an adversary impersonate a user. Perhaps this should be sent as filtered out-of-the-box just like
PHPSESSID
is filtered.Note that simply filtering the default
REMEMBERME
cookie does not cut it. The name can be configured (http://symfony.com/doc/current/security/remember_me.html). Best option IMO is to use a compiler pass and grab it from a certain service definition argument. In the compiler pass we would have to figure the "remember-me" service id (it's dynamic I think), find the service and then infer the cookie name from the 3-rd "options" argument. The relevant part in Symfony can be found here.Cheers,
Kristen
The text was updated successfully, but these errors were encountered: