Permalink
2 changes: 1 addition & 1 deletion
2
src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
6 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
[Security] Add a separator in the remember me cookie hash
- Loading branch information
1 parent
3e0b235
commit a29ce28
Showing
1 changed file
with
1 addition
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a29ce28There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This logs out all users with the old hash.😐
a29ce28There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@simoheinonen which is better than allowing to spoof remember me cookies
a29ce28There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah but worth mentioning imo. Logging out thousands of users might cost a lot
a29ce28There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One remark regarding this (a bit too late perhaps);
I would like this a little bit shorter for readability/redundancy/etc., sth like that:
return hash_hmac('sha256', implode(self::COOKIE_DELIMITER, func_get_args()), $this->getSecret());Any point to opening a follow-up issue for this?
a29ce28There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stefanospetrakis this code is less explicit about what gets included in the hash exactly, due to using
func_get_argsinstead of the actual arguments. So to me, this actually makes it less readable.a29ce28There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stof Fair enough, how about the following:
implode(self::COOKIE_DELIMITER, [$class, $username, $expires, $password])