Commit7518fea

committed

[Security] Enforce maximum username length

1 parentf444462 commit7518feaCopy full SHA for 7518fea

File tree

-0

lines changed

-0

lines changed

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
@@ -343,6 +343,11 @@ can also create your own :ref:`custom user provider <security-custom-user-provid
`343`	`343`	it using the:class:`Symfony\\Component\\Security\\Core\\User\\UserProviderInterface`
`344`	`344`	`type-hint.`
`345`	`345`
	`346`	`+..note::`
	`347`	`+`
	`348`	`+ The maximum length allowed for the user identifier is 4096 characters to`
	`349`	+ prevent `session storage flooding`_ attacks.
	`350`	`+`
`346`	`351`	`.. _security-encoding-user-password:`
`347`	`352`
`348`	`353`	`Registering the User: Hashing Passwords`
`@@ -2656,3 +2661,4 @@ Authorization (Denying Access)`
`2656`	`2661`	.. _`SymfonyCastsVerifyEmailBundle`:https://github.com/symfonycasts/verify-email-bundle
`2657`	`2662`	.. _`HTTP Basic authentication`:https://en.wikipedia.org/wiki/Basic_access_authentication
`2658`	`2663`	.. _`Login CSRF attacks`:https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests
	`2664`	+.. _`session storage flooding`:https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session

Comments

(0)