Skip to content

Avoid regenerating the remember me token if it is still fresh #40972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 7, 2021
Merged

Avoid regenerating the remember me token if it is still fresh #40972

merged 1 commit into from
May 7, 2021

Conversation

Seldaek
Copy link
Member

@Seldaek Seldaek commented Apr 28, 2021

Q A
Branch? 5.x
Bug fix? ~yes
New feature? no?
Deprecations? no
Tickets Refs #40971
License MIT
Doc PR

Please see #40971 for more information about the context of this change.

As it was discussed in #18384 - regenerating the remember me token/cookie is done to avoid old cookies being stolen and reused, this is a valid concern (although cookie theft is much harder these days with httpOnly and secure flags) and a good security practice, but if the token was refreshed very recently it seems a bit overkill to refresh it again, it leads to more DB writes, and for us who are trying to support concurrent re-authenticating requests it is causing further problems if every request triggers a new token update.

I'd be happy to also update this in the old PersistentTokenBasedRememberMeServices if needed, but I find that it is perhaps better to just do this in the new auth system as it was until 5.3 considered experimental.

@Seldaek Seldaek requested review from chalasr and wouterj as code owners April 28, 2021 11:47
@Seldaek Seldaek mentioned this pull request Apr 28, 2021
Closed
chalasr
chalasr approved these changes May 6, 2021
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sensible to me, thanks. Fixes #28314 also?

@Seldaek
Copy link
Member Author

Seldaek commented May 6, 2021

No it makes it possible/easier to fix that issue of parallel reauth requests but this in itself is not enough to fix it. I'll try and send another PR to add event hooks or an optional interface perhaps allowing the remember me token storage to implement a fix, then we have a chance of fixing this by default in 6 perhaps.

@fabpot
Copy link
Member

fabpot commented May 7, 2021

Thank you @Seldaek.

@fabpot fabpot merged commit 883899e into symfony:5.x May 7, 2021
@fabpot fabpot mentioned this pull request May 9, 2021
Merged
@Seldaek Seldaek deleted the patch-12 branch May 11, 2021 08:59
@Seldaek Seldaek mentioned this pull request May 11, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@chalasr chalasr chalasr approved these changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Seldaek @fabpot @chalasr @carsonbot