diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli)

Browse Source 
This PR was merged into the 3.4 branch.

Discussion
----------

[Security] Add a separator in the remember me cookie hash

Based on #89

Commits
-------

a29ce2817c [Security] Add a separator in the remember me cookie hash
This commit is contained in:
Nicolas Grekas 2019-04-16 10:58:07 +02:00
commit 0a4ed67b0d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
View File

@ -120,6 +120,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
*/ */
protected function generateCookieHash($class, $username, $expires, $password) protected function generateCookieHash($class, $username, $expires, $password)
{ {
return hash_hmac('sha256', $class.$username.$expires.$password, $this->getSecret()); return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
} }
} }