Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allowing session cookie (split cookie) #958

Merged
merged 1 commit into from
Dec 8, 2021
Merged

Conversation

JeremyPasco
Copy link
Contributor

AS described in #809, the split cookie approach cannot be fully implemented because this bundle doesn't allow session cookie (when lifetime=0, then the token ttl value was used instead). This pull request allows a 0 lifetime cookie:

lexik_jwt_authentication.yaml

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    token_ttl: 86400
    token_extractors:
        split_cookie:
            enabled: true
            cookies:
                - jwt_hp
                - jwt_s
    set_cookies:
        jwt_hp:
            lifetime: 360
            samesite: strict
            path: /
            domain: null
            httpOnly: false
            split:
                - header
                - payload

        jwt_s:
            lifetime: 0 # session cookie here
            samesite: strict
            path: /
            domain: null
            httpOnly: true
            split:
                - signature

@chalasr
Copy link
Collaborator

chalasr commented Nov 22, 2021

Thanks a lot for the PR! Could you please add a test case?

@JeremyPasco
Copy link
Contributor Author

Done :)
I also updated the documentation for split_cookie to reflect the idea behind this article: the signature cookie should be a session one.

@chalasr
Copy link
Collaborator

chalasr commented Dec 5, 2021

Sorry for not reviewing this earlier, my open-source time was quite limited these 2 last weeks.
I'm going to have a deep look at this as soon as possible.

Security/Http/Cookie/JWTCookieProvider.php Outdated Show resolved Hide resolved
Tests/Security/Http/Cookie/JWTCookieProviderTest.php Outdated Show resolved Hide resolved
@chalasr
Copy link
Collaborator

chalasr commented Dec 8, 2021

I kinda messed up with git while merging, but everything is ok. Thank you very much @JeremyPasco.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants