New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Remember_me cookie doesn't get deleted correctly #35198
Comments
@Claicon Could you please try the following patch? diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
index 61b1257b4a..98e8756e33 100644
--- a/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
+++ b/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
@@ -52,6 +52,8 @@ class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
list($series) = $parts;
$this->tokenProvider->deleteTokenBySeries($series);
}
+
+ $request->cookies->remove($this->options['name']);
}
/** |
@chalasr No it's still the same with the patch. Why is it only when changing roles? I share my code just in case I'm doing something wrong here, my App only got one role so I just get it from a user field (
Can someone confirm this behaviour too so I can rule out that it is my code? Thanks! |
Confirmed, I'm on it. |
See #35239 |
…eing accepted (chalasr) This PR was merged into the 3.4 branch. Discussion ---------- [Security\Http] Prevent canceled remember-me cookie from being accepted | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #35198 | License | MIT | Doc PR | - `RememberMeServices::autoLogin()` only checks that the cookie exists in `$request->cookies` while `loginFail()` only alter `$request->attributes` (which allows child implementations to read the canceled cookie for e.g. removing a persistent one). This makes `autoLogin()` checks for `request->attributes` first, which fixes the linked issue. Failure expected on deps=high build. Commits ------- 9b711b8 [Security] Prevent canceled remember-me cookie from being accepted
Symfony version(s) affected: 4.4.2
Description
The remember_me cookie should get deleted after User is deauthenticated with
EquatableInterface
or normalhasUserChanged
after changing roles of the user while in an active session. It works correctly when doing that to the username, password or isActive/banned flag as an example, but doesn't work if roles are changing. After changing the roles a second time it works. I thought this was fixed with #34671 but doesn't work for me with roles.How to reproduce
EquatableInterface
or normalhasUserChanged
covers role-changes too).Additional context
Here are the logs directly after I changed the role and reloaded the page. The remember-me cookie is being cleared but there's a new remember-me cookie detected afterwards and accepted again and session is still kinda active (
is_fully_authenticated()
returnsfalse
,is_authenticated()
returnstrue
).After changing the role AGAIN and reloading the page it seems to be fine, remember-me cookie is cleared and token populated with an anonymous Token (as it should be).
The text was updated successfully, but these errors were encountered: