Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security][bug] Remember-me cookie with custom secure/httponly options is not cleared on logout #14822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MacDada opened this issue Jun 1, 2015 · 2 comments
Closed

[Security][bug] Remember-me cookie with custom secure/httponly options is not cleared on logout #14822

MacDada opened this issue Jun 1, 2015 · 2 comments
Labels
Bug Security

Comments

@MacDada
Copy link
Contributor

MacDada commented Jun 1, 2015

AbstractRememberMeServices does not pass secure/httponly options when it clears the cookie on logout: https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php#L296

Both existing implementations use these options:
@MacDada MacDada changed the title [Security][bug] Remember-me cookie is not cleared on logout when custom secure/httponly options [Security][bug] Remember-me cookie with custom secure/httponly options is not cleared on logout Jun 1, 2015
@MacDada
Copy link
Contributor Author

MacDada commented Jun 2, 2015

Temporary workaround is to add the cookie to security:firewalls:name:delete_cookies config: http://symfony.com/doc/current/reference/configuration/security.html#full-default-configuration

I have created a custom class extending AbstractRememberMeServices so I've overriden cancelCookie() instead.

What do you propose as the solution? I could make a PR:

  1. Pass the options in AbstractRememberMeServices::cancelCookie() like it always should have been done
  2. Override cancelCookie() in both implementations so that abstract implementation works as usuall
  3. Add yet another config option to decide if those options should be passed (nah…)
  4. Something else?

Both 1 and 2 could be considered BC, because people might rely on current behaviour.

If the fix was a BC, to which branch should I make a PR?

MacDada added a commit to MacDada/symfony that referenced this issue Jun 3, 2015
@MacDada
Test confirming current behaviour of AbstractRememberMeServices::logo…
947c30b 
…ut()

It does work for default values of "secure" and "httponly" options, but it would break if one customized those options.
symfony#14822
MacDada added a commit to MacDada/symfony that referenced this issue Jun 3, 2015
@MacDada
AbstractRememberMeServices::cancelCookie() uses "secure" and "httponl…
66e615b 
…y" options

* test now always pass those options, as they are required
* could be considered BC, but RememberMeFactory passes them, so they should've always been treated as required
* symfony#14822
MacDada added a commit to MacDada/symfony that referenced this issue Jun 3, 2015
@MacDada
AbstractRememberMeServices::cancelCookie() uses "secure" and "httponl…
ba21a06 
…y" options if they are set

* tests show that currently those options might not exist
* should not be considered BC?
* symfony#14822
This was referenced Jun 3, 2015
Closed
Closed
@MacDada
Copy link
Contributor Author

MacDada commented Jun 3, 2015

I made 2 PRs with proposed fixes. I'd prefer [1] #14842 as it's just a plain–simple fix, but [2] #14843 could be seen as being less BC–ish.

@MacDada MacDada mentioned this issue Jul 2, 2015
Closed
fabpot added a commit that referenced this issue Oct 5, 2015
@fabpot
bug #14842 [Security][bugfix] "Remember me" cookie cleared on logout …
1c4ea85 
…with custom "secure"/"httponly" config options [1] (MacDada)

This PR was squashed before being merged into the 2.3 branch (closes #14842).

Discussion
----------

[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #14822
| License       | MIT
| Doc PR        | ~

* test now always pass "secure" and "httponly" options, as they are required
* could be considered BC, but [`RememberMeFactory` passes them](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php#L21), so they should've always been treated as required
* I can squash the commits before merging
* Alternative solution: #14843

Commits
-------

18b1c6a [Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
@fabpot fabpot closed this as completed Oct 5, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fabpot @MacDada @jakzal