Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security/Http] Check tokens before loading users from providers#49078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
nicolas-grekas merged 1 commit intosymfony:5.4fromnicolas-grekas:sec-remember-me
Jan 24, 2023

Conversation

@nicolas-grekas
Copy link
Member

QA
Branch?5.4
Bug fix?yes
New feature?no
Deprecations?no
Tickets-
LicenseMIT
Doc PR-

Remember me cookies and login link handler tokens contain an expiry but we check this expiry only after we've loaded a user from a provider. This can create unneeded load on the provider. Note that the now legacy security subsystem was free from this issue so this PR is fixing a regression.

For persistent tokens, I've removed any logic to sign them inPersistentRememberMeHandler because we never validate the signature, so it's just useless.

@nicolas-grekas
Copy link
MemberAuthor

(deps=high failures need a merge up to be green).

Copy link
MemberAuthor

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Comments addressed@stof, thanks for the review. New round unlocked :)

@nicolas-grekasnicolas-grekas merged commit1eebf31 intosymfony:5.4Jan 24, 2023
@nicolas-grekasnicolas-grekas deleted the sec-remember-me branchJanuary 24, 2023 13:20
This was referencedJan 24, 2023
nicolas-grekas added a commit that referenced this pull requestJan 25, 2023
…legacy tokens (nicolas-grekas)This PR was merged into the 5.4 branch.Discussion----------[Security/Http] Fix compat of persistent remember-me with legacy tokens| Q             | A| ------------- | ---| Branch?       | 5.4| Bug fix?      | yes| New feature?  | no| Deprecations? | no| Tickets       |Fix#49100| License       | MIT| Doc PR        | -In#49078, we changed the format of remember-me tokens, effectively invalidating them all.While the invalidation is intentional for signature-based remember-me handlers, persistent remember-me handlers could accept both legacy and updated tokens.This PR fixes compat with legacy tokens for persistent remember-me handlers.Commits-------538d660 [Security/Http] Fix compat of persistent remember-me with legacy tokens
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@javiereguiluzjaviereguiluzjaviereguiluz left review comments

@stofstofstof approved these changes

@wouterjwouterjAwaiting requested review from wouterj

@chalasrchalasrAwaiting requested review from chalasrchalasr is a code owner

Assignees

No one assigned

Projects

None yet

Milestone

5.4

Development

Successfully merging this pull request may close these issues.

4 participants

@nicolas-grekas@javiereguiluz@stof@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp