Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security/Http] Hash Persistent RememberMe token#35960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
chalasr merged 1 commit intosymfony:masterfromguillbdx:feature/27910-hash-persistent-rememberme-token
Mar 5, 2020
Merged

[Security/Http] Hash Persistent RememberMe token#35960

chalasr merged 1 commit intosymfony:masterfromguillbdx:feature/27910-hash-persistent-rememberme-token
Mar 5, 2020

Conversation

guillbdx
Copy link

@guillbdxguillbdx commentedMar 4, 2020
edited by nicolas-grekas
Loading

QA
Branch?master
Bug fix?no
New feature?yes
Deprecations?no
TicketsFix#27910
LicenseMIT
Doc PRNot sure this enhancement needs documentation

The purpose of this PR is to enhance the Remember Me persistent token feature: instead of storing cleared token value in DB, the values will be hashed.
To make sure that existing remember me cookies will keep being valid after this change, we prefix the new token values with 'hash_'. In case the token value doesn't match this prefix, we keep validating it the old way.

@lyrixx
Copy link
Member

You need random data in the hash (nonce) to make the secret unknowable.
I would use the password API or the libsodium API for this use case.

@chalasr
Copy link
Member

SHA256 seems good enough as per#27910 (comment)

nicolas-grekas, lyrixx, and guillbdx reacted with thumbs up emoji

Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Don't miss adding some tests :)

@guillbdx
Copy link
Author

Don't miss adding some tests :)

I've updatedPersistentTokenBasedRememberMeServicesTest, so it now uses tokens with hashed values.
I also annotated thetestAutoLogin test to be run twice: once with a hashed token value, and once with a clear token value, to make sure the old way keeps working.

@nicolas-grekasnicolas-grekas changed the titleHash Persistent RememberMe token[Security/Http] Hash Persistent RememberMe tokenMar 4, 2020
Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM thanks

Copy link
Member

@chalasrchalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The Security CHANGELOG needs to be updated.

@chalasr
Copy link
Member

Thank you@guillbdx.

@chalasrchalasr merged commit45c4ffa intosymfony:masterMar 5, 2020
@nicolas-grekasnicolas-grekas modified the milestones:next,5.1May 4, 2020
@fabpotfabpot mentioned this pull requestMay 5, 2020
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@nicolas-grekasnicolas-grekasnicolas-grekas approved these changes

@wouterjwouterjwouterj approved these changes

@chalasrchalasrchalasr approved these changes

Assignees
No one assigned
Projects
None yet
Milestone
5.1
Development

Successfully merging this pull request may close these issues.

RememberMe token should be hashed in the database
6 participants
@guillbdx@lyrixx@chalasr@nicolas-grekas@wouterj@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp