Skip to content

[Security\Http] Fix handling secure: auto using the new RememberMeAuthenticator #41254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 18, 2021
Merged

[Security\Http] Fix handling secure: auto using the new RememberMeAuthenticator #41254

merged 1 commit into from
May 18, 2021

Conversation

chalasr
Copy link
Member

@chalasr chalasr commented May 17, 2021

Q A
Branch? 5.x
Bug fix? yes
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

The created cookie was always secure when using auto because of some missing config normalization that should have been copied from the legacy rememberme implementation.

@chalasr chalasr requested a review from wouterj as a code owner May 17, 2021 15:39
@chalasr chalasr changed the title [Security\Http] Fix handling secure: auto using the new RememberMeA… [Security\Http] Fix handling secure: auto using the new RememberMeAuthenticator May 17, 2021
chalasr
chalasr commented May 17, 2021
View reviewed changes
src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
@@ -104,6 +104,10 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
$loader->load('security_authenticator_remember_me.php');
}

if ('auto' === $config['secure']) {
$config['secure'] = null;
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is the corresponding logic from the old implementation:

symfony/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php

Lines 266 to 268 in 4333d0b

if ('auto' === $mergedOptions['secure']) {
$mergedOptions['secure'] = null;
}

It is needed for:

symfony/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeHandler.php

Line 123 in 4333d0b

$this->options['secure'] ?? $request->isSecure(),

@chalasr chalasr force-pushed the fix-rememberme-secure-auto branch from 4333d0b to 3fdc154 Compare May 17, 2021 15:54
@nicolas-grekas nicolas-grekas added this to the 5.3 milestone May 18, 2021
@nicolas-grekas
Copy link
Member

Thank you @chalasr.

@nicolas-grekas nicolas-grekas merged commit 4382181 into symfony:5.x May 18, 2021
@chalasr chalasr deleted the fix-rememberme-secure-auto branch May 18, 2021 09:01
@fabpot fabpot mentioned this pull request May 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Bug Status: Reviewed
Projects
None yet
Milestone
5.3
Development

Successfully merging this pull request may close these issues.
3 participants
@chalasr @nicolas-grekas @carsonbot