merged branch joncave/rememberme-hmac (PR #8195)
This PR was submitted for the 2.3 branch but it was merged into the master branch instead (closes #8195). Discussion ---------- [Security] Use HMAC construction for remember me cookie hashes [Security] Use HMAC construction for remember me cookie hashes | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | License | MIT HMAC is a more secure construction for MACs than the secret suffix method that is currently being used by the remember me cookies, see http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/. Changing the MAC scheme means that current cookies will be invalidated and users will have to login again. Though there are no API BC issues. Commits ------- c97e0d0 [Security] Use HMAC construction for remember me cookie hashes
This commit is contained in:
commit
707acd9a9b
|
@ -147,6 +147,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
|
|||
*/
|
||||
protected function generateCookieHash($class, $username, $expires, $password)
|
||||
{
|
||||
return hash('sha256', $class.$username.$expires.$password.$this->getKey());
|
||||
return hash_hmac('sha256', $class.$username.$expires.$password, $this->getKey());
|
||||
}
|
||||
}
|
||||
|
|
Reference in New Issue