merged branch joncave/rememberme-hmac (PR #8195)

This PR was submitted for the 2.3 branch but it was merged into the master branch instead (closes #8195). Discussion ---------- [Security] Use HMAC construction for remember me cookie hashes [Security] Use HMAC construction for remember me cookie hashes | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | License | MIT HMAC is a more secure construction for MACs than the secret suffix method that is currently being used by the remember me cookies, see http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/. Changing the MAC scheme means that current cookies will be invalidated and users will have to login again. Though there are no API BC issues. Commits ------- c97e0d0 [Security] Use HMAC construction for remember me cookie hashes
2013-07-21 21:35:20 +02:00 · 2013-07-21 21:35:20 +02:00 · 707acd9a9b
parent 8b3d8c1bae f7bb5de804
commit 707acd9a9b
1 changed files with 1 additions and 1 deletions
--- a/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
+++ b/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
@ -147,6 +147,6 @@ class TokenBasedRememberMeServices extends AbstractRememberMeServices
     */
    protected function generateCookieHash($class, $username, $expires, $password)
    {
-        return hash('sha256', $class.$username.$expires.$password.$this->getKey());
+        return hash_hmac('sha256', $class.$username.$expires.$password, $this->getKey());
    }
 }