Closed
Description
Symfony version(s) affected:
4.3.3
Description
The session token was deauthenticated if user data changed. But after that, the RememberMeToken will be accepted and restore the session token.
This looks like the RememberMeToken never trigger the user data comparison before to restore the session token.
Log:
[2019-08-11 01:37:15] security.DEBUG: Cannot refresh token because user has changed. { ... }
[2019-08-11 01:37:15] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2019-08-11 01:37:15] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"main","authenticators":1} []
[2019-08-11 01:37:15] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"main","authenticator":"App\\Security\\MyUserAuthenticator"} []
[2019-08-11 01:37:15] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"main","authenticator":"App\\Security\\MyUserAuthenticator"}
[2019-08-11 01:37:15] security.DEBUG: Remember-me cookie detected. [] []
...
[2019-08-11 01:37:15] security.INFO: Remember-me cookie accepted. [] []
[2019-08-11 01:37:15] security.DEBUG: Populated the token storage with a remember-me token. [] []
[2019-08-11 01:37:16] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []
How to reproduce
Configure the "remember_me" feature in security.yaml
firewalls:
main:
remember_me:
secret: "%kernel.secret%"
lifetime: 604800
Implements the EquatableInterface
public function isEqualTo(UserInterface $user): bool
{
if (null !== $this->disabledAt) {
return false;
}
...
return true;
}