diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #24536 [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails (kbond) 

This PR was merged into the 2.7 branch.

Discussion
----------

[Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #24525
| License       | MIT
| Doc PR        | -

I think this is a security hole - a user can remain logged in with a remember me cookie even though they can no longer pass `UserCheckInterface::checkPostAuth()` (could be disabled).

This is a small BC break but shouldn't be an issue as I think it is a bug. I don't think this requires a BC layer but if so, I can add.

Commits
-------

fe190b6ee9 reject remember-me token if user check fails
This commit is contained in:
Fabien Potencier 2017-10-13 06:42:43 -07:00
parent 2059609ccb fe190b6ee9
commit 4ebd60f7f9
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/Symfony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php
View File

@ -49,6 +49,7 @@ class RememberMeAuthenticationProvider implements AuthenticationProviderInterfac
$user = $token->getUser();
$this->userChecker->checkPreAuth($user);
$this->userChecker->checkPostAuth($user);
$authenticatedToken = new RememberMeToken($user, $this->providerKey, $this->key);
$authenticatedToken->setAttributes($token->getAttributes());