[Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails #24536
Conversation
| return new RememberMeToken($user, $this->providerKey, $this->secret); | ||
| $token = new RememberMeToken($user, $this->providerKey, $this->secret); | ||
|
|
||
| if (!$token->isAuthenticated()) { |
There was a problem hiding this comment.
Won't the token always be not authenticated because setAuthenticated() is now never called?
There was a problem hiding this comment.
yeah, just found that out.... working on a fix
|
I wonder if the fix should be that when you are logged in via |
|
Yeah, I jumped the gun on this PR... Discovered the remember me service has no way of knowing if the user has changed because the user isn't serialized. We could clear the remember me cookie as part of the |
Hmm... but this seems like a separate issue, right? Right now, if my session expires, and I am "saved" by RememberMe, but my user has actually changed, then I will still be logged in. Aka, this is already an issue with remember me and unrelated, right? I don't think the "remember me" token could ever know if the user was changed... because (by its very nature), it is being activated because there is no user in the session... and so nothing to compare with. So is that fixable, or just the nature of remember_me? i.e. if you use remember_me, you're giving anyone with this cookie a "free pass" to login until that remember_me cookie expires (if you use the default way that remember_me works, where you just decode the cookie and load the user). |
|
What about running the user through the |
|
@kbond Hmm, indeed, that's a good idea. Let's try it. We may need a BC layer, but maybe not - it smells like a bug that a "disabled" user could become logged in thanks to their remember_me token. |
|
Ok, I'll update this PR |
|
This ended up being a pretty simple fix. |
|
|
|
Here are some details on why that old change was made: https://github.com/symfony/symfony/pull/11058/files#r18096092. Specifically, |
|
Ok switched the base branch to 2.7 |
|
Yea... to say more, if the User was disabled (as you mentioned #24525 (comment)), that would be caught in |
|
I do my disabled user check in |
|
Well, that's a good enough reason for me. Just to verify, with this patch, do you get the desired effects if you try in your real app? |
|
Yes, my real app works as expected. I think if you have different behavior based on an exception thrown in |
|
👍 from me. This is a slight behavior change, but it's fixing a (security) bug imo: you should never want a remembe_me cookie to authenticate a user that fails the user checker (the default The distinction between pre-auth checks (checks that are done before checking credentials, and so are so errors are exposed to the user) and post-auth checks is not relevant here: both should be checked. |
|
Thank you @kbond. |
…e::checkPostAuth() fails (kbond) This PR was merged into the 2.7 branch. Discussion ---------- [Security] Reject remember-me token if UserCheckerInterface::checkPostAuth() fails | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #24525 | License | MIT | Doc PR | - I think this is a security hole - a user can remain logged in with a remember me cookie even though they can no longer pass `UserCheckInterface::checkPostAuth()` (could be disabled). This is a small BC break but shouldn't be an issue as I think it is a bug. I don't think this requires a BC layer but if so, I can add. Commits ------- fe190b6 reject remember-me token if user check fails
I think this is a security hole - a user can remain logged in with a remember me cookie even though they can no longer pass
UserCheckInterface::checkPostAuth()(could be disabled).This is a small BC break but shouldn't be an issue as I think it is a bug. I don't think this requires a BC layer but if so, I can add.