Closed
Description
Symfony version(s) affected
6.2.5
Description
Since we've migrated from 6.2.3 to 6.2.5 we've seen a raised of the following exception
Symfony\Component\Security\Core\Exception\AuthenticationException , whch cause a massive de-logged / need to re-login for our users
with the following stack trace
Symfony\Component\Security\Core\Exception\AuthenticationException: The cookie contains invalid data.
#26 /vendor/symfony/security-http/RememberMe/RememberMeDetails.php(41): Symfony\Component\Security\Http\RememberMe\RememberMeDetails::fromRawCookie
#25 /vendor/symfony/security-http/RememberMe/PersistentRememberMeHandler.php(115): Symfony\Component\Security\Http\RememberMe\PersistentRememberMeHandler::clearRememberMeCookie
#24 /vendor/symfony/security-http/EventListener/RememberMeListener.php(73): Symfony\Component\Security\Http\EventListener\RememberMeListener::clearCookie
#23 /vendor/symfony/event-dispatcher/EventDispatcher.php(246): Symfony\Component\EventDispatcher\EventDispatcher::Symfony\Component\EventDispatcher\{closure}
#22 /vendor/symfony/event-dispatcher/EventDispatcher.php(206): Symfony\Component\EventDispatcher\EventDispatcher::callListeners
#21 /vendor/symfony/event-dispatcher/EventDispatcher.php(56): Symfony\Component\EventDispatcher\EventDispatcher::dispatch
#20 /vendor/symfony/security-http/Authentication/AuthenticatorManager.php(259): Symfony\Component\Security\Http\Authentication\AuthenticatorManager::handleAuthenticationFailure
#19 /vendor/symfony/security-http/Authentication/AuthenticatorManager.php(207): Symfony\Component\Security\Http\Authentication\AuthenticatorManager::executeAuthenticator
#18 /vendor/symfony/security-http/Authentication/AuthenticatorManager.php(154): Symfony\Component\Security\Http\Authentication\AuthenticatorManager::executeAuthenticators
#17 /vendor/symfony/security-http/Authentication/AuthenticatorManager.php(136): Symfony\Component\Security\Http\Authentication\AuthenticatorManager::authenticateRequest
#16 /vendor/symfony/security-http/Firewall/AuthenticatorManagerListener.php(40): Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener::authenticate
#15 /vendor/symfony/security-bundle/Security/LazyFirewallContext.php(73): Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext::Symfony\Bundle\SecurityBundle\Security\{closure}
#14 /vendor/symfony/security-core/Authentication/Token/Storage/TokenStorage.php(34): Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage::getToken
#13 /vendor/symfony/security-core/Authentication/Token/Storage/UsageTrackingTokenStorage.php(44): Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage::getToken
#12 /vendor/symfony/security-core/Security.php(78): Symfony\Component\Security\Core\Security::getToken
it seems to have been introduce by specifically this commit at this line
889d739#diff-3a1049f354b63f2306a7a0007466f777c659b1f8c070f0d9310a8486c47d0b54L39
i.e as the raw remember cookie is a base64 , the "explode" can't work on it, and so it triggers the exception
How to reproduce
- Have a project on 6.2.3 with remember cookie activated
- Login with remember cookie
- have a low session expiration (so that the remember cookie trigger) and wait for that time
- upgrade to 6.2.5
- now return to your website
- => you have been unlogged (the user do not see the exception as it caught by the firewall )
Possible Solution
Provide a way to detect "old" remember cookie and migrate them ?
Additional Context
No response