As it was discussed in#18384 - regenerating the remember me token/cookie is done to avoid old cookies being stolen and reused, this is a valid concern (although cookie theft is much harder these days with httpOnly and secure flags) and a good security practice, but if the token was refreshed very recently it seems a bit overkill to refresh it again, it leads to more DB writes, and for us who are trying to support concurrent re-authenticating requests it is causing further problems if every request triggers a new token update.

I'd be happy to also update this in the old PersistentTokenBasedRememberMeServices if needed, but I find that it is perhaps better to just do this in the new auth system as it was until 5.3 considered experimental.

Avoid regenerating the remember me token if it is still fresh

a942b5f

Seldaek requested review fromchalasr andwouterj ascode owners

April 28, 2021 11:47

carsonbot added the Status: Needs Review label

Apr 28, 2021

Seldaek mentioned this pull request

Apr 28, 2021

[Security] Add a way to hook into PersistentRememberMeHandler#40971

Closed

chalasr approved these changes

May 6, 2021

View reviewed changes

Copy link

Member

chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Looks sensible to me, thanks. Fixes#28314 also?

carsonbot added Status: Reviewed and removed Status: Needs Review labels

May 6, 2021

Copy link

MemberAuthor

Seldaek commentedMay 6, 2021

No it makes it possible/easier to fix that issue of parallel reauth requests but this in itself is not enough to fix it. I'll try and send another PR to add event hooks or an optional interface perhaps allowing the remember me token storage to implement a fix, then we have a chance of fixing this by default in 6 perhaps.