Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[Security\Http] Prevent canceled remember-me cookie from being accepted #35239
Failure expected on deps=high build.
…eing accepted (chalasr) This PR was merged into the 3.4 branch. Discussion ---------- [Security\Http] Prevent canceled remember-me cookie from being accepted | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #35198 | License | MIT | Doc PR | - `RememberMeServices::autoLogin()` only checks that the cookie exists in `$request->cookies` while `loginFail()` only alter `$request->attributes` (which allows child implementations to read the canceled cookie for e.g. removing a persistent one). This makes `autoLogin()` checks for `request->attributes` first, which fixes the linked issue. Failure expected on deps=high build. Commits ------- 9b711b8 [Security] Prevent canceled remember-me cookie from being accepted