Skip to content

Commit 5851eee

Browse files
thereisnobugsthereisnobugs
committed
Hiding userFqcn in RememberMe cookie
1 parent e348b70 commit 5851eee

File tree

3 files changed

+12
-7
lines changed

3 files changed

+12
-7
lines changed

src/Symfony/Component/Security/Http/CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ CHANGELOG
33

44
7.3
55
---
6-
6+
* Rename property userFqcn to userFqcnHash, remove method getUserFqcn, add method getUserFqcnHash.
77
* Add encryption support to `OidcTokenHandler` (JWE)
88

99
7.2

src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): U
6767
[$series, $tokenValue] = explode(':', $rememberMeDetails->getValue(), 2);
6868
$persistentToken = $this->tokenProvider->loadTokenBySeries($series);
6969

70-
if ($persistentToken->getUserIdentifier() !== $rememberMeDetails->getUserIdentifier() || $persistentToken->getClass() !== $rememberMeDetails->getUserFqcn()) {
70+
if ($persistentToken->getUserIdentifier() !== $rememberMeDetails->getUserIdentifier() || !hash_equals(RememberMeDetails::computeUserFqcnHash($persistentToken->getClass()), $rememberMeDetails->getUserFqcnHash())) {
7171
throw new AuthenticationException('The cookie\'s hash is invalid.');
7272
}
7373

src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ class RememberMeDetails
2222
public const COOKIE_DELIMITER = ':';
2323

2424
public function __construct(
25-
private string $userFqcn,
25+
private string $userFqcnHash,
2626
private string $userIdentifier,
2727
private int $expires,
2828
private string $value,
@@ -48,7 +48,12 @@ public static function fromRawCookie(string $rawCookie): self
4848

4949
public static function fromPersistentToken(PersistentToken $persistentToken, int $expires): self
5050
{
51-
return new static($persistentToken->getClass(), $persistentToken->getUserIdentifier(), $expires, $persistentToken->getSeries().':'.$persistentToken->getTokenValue());
51+
return new static(self::computeUserFqcnHash($persistentToken->getClass()), $persistentToken->getUserIdentifier(), $expires, $persistentToken->getSeries().':'.$persistentToken->getTokenValue());
52+
}
53+
54+
public static function computeUserFqcnHash(string $userFqcn): string
55+
{
56+
return hash('sha256', $userFqcn);
5257
}
5358

5459
public function withValue(string $value): self
@@ -59,9 +64,9 @@ public function withValue(string $value): self
5964
return $details;
6065
}
6166

62-
public function getUserFqcn(): string
67+
public function getUserFqcnHash(): string
6368
{
64-
return $this->userFqcn;
69+
return $this->userFqcnHash;
6570
}
6671

6772
public function getUserIdentifier(): string
@@ -82,6 +87,6 @@ public function getValue(): string
8287
public function toString(): string
8388
{
8489
// $userIdentifier is encoded because it might contain COOKIE_DELIMITER, we assume other values don't
85-
return implode(self::COOKIE_DELIMITER, [strtr($this->userFqcn, '\\', '.'), strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
90+
return implode(self::COOKIE_DELIMITER, [$this->userFqcnHash, strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
8691
}
8792
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy