Bug #42343 [Security] Fix valid remember-me token exposure to the second consequent request

Ivan Kurnosov · Ivan Kurnosov · commit 62ceded47ca4 · 2022-09-06T09:24:13.000+12:00
Close #42343 Fix #46760
diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
@@ -75,7 +75,6 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
 
         if ($this->tokenVerifier) {
             $isTokenValid = $this->tokenVerifier->verifyToken($persistentToken, $tokenValue);
-            $tokenValue = $persistentToken->getTokenValue();
         } else {
             $isTokenValid = hash_equals($persistentToken->getTokenValue(), $tokenValue);
         }
@@ -96,9 +95,9 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
                 $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
             }
             $this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
-        }
 
-        $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
+            $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
+        }
     }
 
     /**
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php
@@ -125,18 +125,7 @@ public function testConsumeRememberMeCookieValidByValidatorWithoutUpdate()
         $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:oldTokenValue');
         $handler->consumeRememberMeCookie($rememberMeDetails);
 
-        // assert that the cookie has been updated with a new base64 encoded token value
-        $this->assertTrue($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
-
-        /** @var Cookie $cookie */
-        $cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
-
-        $cookieParts = explode(':', base64_decode($cookie->getValue()), 4);
-
-        $this->assertSame(InMemoryUser::class, $cookieParts[0]); // class
-        $this->assertSame(base64_encode('wouter'), $cookieParts[1]); // identifier
-        $this->assertSame('360', $cookieParts[2]); // expire
-        $this->assertSame('series1:tokenvalue', $cookieParts[3]); // value
+        $this->assertFalse($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
     }
 
     public function testConsumeRememberMeCookieInvalidToken()

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,6 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte`
`75`	`75`
`76`	`76`	`if ($this->tokenVerifier) {`
`77`	`77`	`$isTokenValid = $this->tokenVerifier->verifyToken($persistentToken, $tokenValue);`
`78`		`- $tokenValue = $persistentToken->getTokenValue();`
`79`	`78`	`} else {`
`80`	`79`	`$isTokenValid = hash_equals($persistentToken->getTokenValue(), $tokenValue);`
`81`	`80`	`}`
`@@ -96,9 +95,9 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte`
`96`	`95`	`$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);`
`97`	`96`	`}`
`98`	`97`	`$this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);`
`99`		`- }`
`100`	`98`
`101`		`- $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));`
	`99`	`+ $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));`
	`100`	`+ }`
`102`	`101`	`}`
`103`	`102`
`104`	`103`	`/**`