Description
-----------

**Warning: This is currently POC and completely untested!**

This is our current take at fixing #400

As suggested by @nicolas-grekas in symfony/symfony#31078 (comment), we need to add a short expiration time to the persistent rememberme tokens. This also fixes concurrent requests mentioned in symfony/symfony#18384.

**Background Info:**
 - A compiler pass replaces the existing rememberme service implementation. This could be replaced by symfony/symfony#31309, but that would not allow new constructor arguments to the service.
 - Because we have our own service implementation, there's not need for a token provider. Also,  `PersistentToken` is only used to communicate between the service and token provider.

**Authentication flow:**
 1. A request with rememberme cookie is authenticated in the firewall.
 2. The rememberme service will mark all existing database tokens of the current series as *to expire* in 60 seconds.
 3. Also adds a new token without an expiration time to the database.
 4. The new cookie is added to the request attribute. If the request is ESI, the response cookie will never make it to the browser, but that's fine.

On the second parallel request, there will be two tokens in the database (thanks to table locking). If the expiring one is still valid, it will be accepted. Instead of generating another new one, it will however send the already created new one back to the client.

As long as there is one browser request (non-ESI) within that minute, the new rememberme cookie as well as the session will correctly make it to the client. This will be accomplised through:
 1. The main response will never be in the cache (because there are cookies).
 2. Should we implement an option to cache sites regardless of cookies (e.g. via checkbox as in #389), we can add a 1px blank image to the page that will fetch the session/rememberme cookie.


I have also implemented symfony/symfony#27910 and now hashed the token value instead of the series. Both ways would work. Changing this will break existing rememberme cookies in Contao, but as everything is broken atm that should be fine.

**TODO:**
 - [x] ~make the expiration time configurable~
 - [x] update and add unit tests

Commits
-------

92bcb51 Add expiration based persistent rememberme token
9a6a8ba Expire old rememberme series after 5 minutes
5121541 Code adjustments from PR feedback
3807ca3 Use Doctrine ORM entity to define tl_remember_me table
b1b334b Rewrite rememberme services to use ORM
a6b675f Implemented unit tests for everything except rememberme services
438f614 Implemented unit tests for ExpiringTokenBasedRememberMeServices
a5fb20e Add ORM config for travis tests
4bce3e6 Fixed RemembermeServicesPass not correctly overriding arguments
f81c940 Fixed composer.json validation
9ad2251 Fixed PHPStan issues
004489b Fixed several DQL query issues
1f1875e Delete database records of same series before migration
5709870 Fix the coding style
97881a5 Fix the --prefer-lowest tests

Description
-----------

**Warning: This is currently POC and completely untested!**

This is our current take at fixing contao/contao#400

As suggested by @nicolas-grekas in symfony/symfony#31078 (comment), we need to add a short expiration time to the persistent rememberme tokens. This also fixes concurrent requests mentioned in symfony/symfony#18384.

**Background Info:**
 - A compiler pass replaces the existing rememberme service implementation. This could be replaced by symfony/symfony#31309, but that would not allow new constructor arguments to the service.
 - Because we have our own service implementation, there's not need for a token provider. Also,  `PersistentToken` is only used to communicate between the service and token provider.

**Authentication flow:**
 1. A request with rememberme cookie is authenticated in the firewall.
 2. The rememberme service will mark all existing database tokens of the current series as *to expire* in 60 seconds.
 3. Also adds a new token without an expiration time to the database.
 4. The new cookie is added to the request attribute. If the request is ESI, the response cookie will never make it to the browser, but that's fine.

On the second parallel request, there will be two tokens in the database (thanks to table locking). If the expiring one is still valid, it will be accepted. Instead of generating another new one, it will however send the already created new one back to the client.

As long as there is one browser request (non-ESI) within that minute, the new rememberme cookie as well as the session will correctly make it to the client. This will be accomplised through:
 1. The main response will never be in the cache (because there are cookies).
 2. Should we implement an option to cache sites regardless of cookies (e.g. via checkbox as in contao/contao#389), we can add a 1px blank image to the page that will fetch the session/rememberme cookie.


I have also implemented symfony/symfony#27910 and now hashed the token value instead of the series. Both ways would work. Changing this will break existing rememberme cookies in Contao, but as everything is broken atm that should be fine.

**TODO:**
 - [x] ~make the expiration time configurable~
 - [x] update and add unit tests

Commits
-------

92bcb515 Add expiration based persistent rememberme token
9a6a8ba8 Expire old rememberme series after 5 minutes
5121541c Code adjustments from PR feedback
3807ca38 Use Doctrine ORM entity to define tl_remember_me table
b1b334b2 Rewrite rememberme services to use ORM
a6b675f3 Implemented unit tests for everything except rememberme services
438f6144 Implemented unit tests for ExpiringTokenBasedRememberMeServices
a5fb20e6 Add ORM config for travis tests
4bce3e64 Fixed RemembermeServicesPass not correctly overriding arguments
f81c9403 Fixed composer.json validation
9ad2251e Fixed PHPStan issues
004489b2 Fixed several DQL query issues
1f1875ef Delete database records of same series before migration
57098706 Fix the coding style
97881a50 Fix the --prefer-lowest tests

Description
-----------

**Warning: This is currently POC and completely untested!**

This is our current take at fixing contao/contao#400

As suggested by @nicolas-grekas in symfony/symfony#31078 (comment), we need to add a short expiration time to the persistent rememberme tokens. This also fixes concurrent requests mentioned in symfony/symfony#18384.

**Background Info:**
 - A compiler pass replaces the existing rememberme service implementation. This could be replaced by symfony/symfony#31309, but that would not allow new constructor arguments to the service.
 - Because we have our own service implementation, there's not need for a token provider. Also,  `PersistentToken` is only used to communicate between the service and token provider.

**Authentication flow:**
 1. A request with rememberme cookie is authenticated in the firewall.
 2. The rememberme service will mark all existing database tokens of the current series as *to expire* in 60 seconds.
 3. Also adds a new token without an expiration time to the database.
 4. The new cookie is added to the request attribute. If the request is ESI, the response cookie will never make it to the browser, but that's fine.

On the second parallel request, there will be two tokens in the database (thanks to table locking). If the expiring one is still valid, it will be accepted. Instead of generating another new one, it will however send the already created new one back to the client.

As long as there is one browser request (non-ESI) within that minute, the new rememberme cookie as well as the session will correctly make it to the client. This will be accomplised through:
 1. The main response will never be in the cache (because there are cookies).
 2. Should we implement an option to cache sites regardless of cookies (e.g. via checkbox as in contao/contao#389), we can add a 1px blank image to the page that will fetch the session/rememberme cookie.


I have also implemented symfony/symfony#27910 and now hashed the token value instead of the series. Both ways would work. Changing this will break existing rememberme cookies in Contao, but as everything is broken atm that should be fine.

**TODO:**
 - [x] ~make the expiration time configurable~
 - [x] update and add unit tests

Commits
-------

92bcb515 Add expiration based persistent rememberme token
9a6a8ba8 Expire old rememberme series after 5 minutes
5121541c Code adjustments from PR feedback
3807ca38 Use Doctrine ORM entity to define tl_remember_me table
b1b334b2 Rewrite rememberme services to use ORM
a6b675f3 Implemented unit tests for everything except rememberme services
438f6144 Implemented unit tests for ExpiringTokenBasedRememberMeServices
a5fb20e6 Add ORM config for travis tests
4bce3e64 Fixed RemembermeServicesPass not correctly overriding arguments
f81c9403 Fixed composer.json validation
9ad2251e Fixed PHPStan issues
004489b2 Fixed several DQL query issues
1f1875ef Delete database records of same series before migration
57098706 Fix the coding style
97881a50 Fix the --prefer-lowest tests

…irewall (Pchol)

This PR was squashed before being merged into the 5.1-dev branch.

Discussion
----------

[SecurityBundle] add "service" option in remember_me firewall

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        | symfony/symfony-docs#... <!-- required for new features -->

allow override remember me service

Commits
-------

bbf7421 [SecurityBundle] add "service" option in remember_me firewall