diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid regenerating the remember me token if it is still fresh

Browse Source
This commit is contained in:
Jordi Boggiano 2021-04-28 13:42:03 +02:00 committed by GitHub
parent 01602ef842
commit a942b5f684
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
View File

@ -74,8 +74,12 @@ final class PersistentRememberMeHandler extends AbstractRememberMeHandler
throw new AuthenticationException('The cookie has expired.');
}
$tokenValue = base64_encode(random_bytes(64));
$this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
// if a token was regenerated less than a minute ago, there is no need to regenerate it
// if multiple concurrent requests reauthenticate a user we do not want to update the token several times
if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
$tokenValue = base64_encode(random_bytes(64));
$this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
}
$this->createCookie($rememberMeDetails->withValue($tokenValue));
}