Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ESI requests break persistent remember me tokens #31078

Open
leofeyer opened this Issue Apr 11, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@leofeyer
Copy link
Contributor

leofeyer commented Apr 11, 2019

We are using the PersistentTokenBasedRememberMeServices service together with the DoctrineTokenProvider class to manage "remember me" tokens. The idea behind the service is to update the token hash after each usage, so the same token cannot be used twice.

Now, if you have a "remember me" cookie and request a page that includes an ESI fragment, both the main request and the ESI request will trigger the auto-login process. However, after the main request has used the token, the hash is changed and the cookie is regenerated. By the time the ESI request is processed, the "remember me" token can no longer be verified (CookieTheftException) and the cookie is deleted in the loginFail method.

If the user was successfully authenticated based on the "remember me" cookie in the main request, the response will contain the updated "remember me" cookie as well as a session cookie. Should these cookies not be passed to the ESI request?

@leofeyer

This comment has been minimized.

Copy link
Contributor Author

leofeyer commented Apr 11, 2019

@stof

This comment has been minimized.

Copy link
Member

stof commented Apr 11, 2019

No, they should not, as that's not how ESI works when using Varnish or other reverse proxies. Reading response cookies to update the cookies sent in subsequent requests is something done by the browser, not by ESI-capable reverse proxies.

@stof

This comment has been minimized.

Copy link
Member

stof commented Apr 11, 2019

#27910 is not related to this. Storing a hash of the value rather than the value itself is entirely orthogonal to the fact of changing the value on each usage.

@leofeyer

This comment has been minimized.

Copy link
Contributor Author

leofeyer commented Apr 11, 2019

Ok, but then the ESI request will trigger the auto-login process again and delete the "remember me" cookie (see above). Are you implying that we cannot use persistent tokens together with ESI?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.