Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] [Remember Me] Improved flexibility for remember me cookies #44168

New issue
New issue
Closed
#44459
Closed
[Security] [Remember Me] Improved flexibility for remember me cookies#44168
#44459
Labels
SecurityStalled
@tyrelcher

Description

@tyrelcher
tyrelcher
opened on Nov 20, 2021

Description

In a project I'm working on I have a user entity and a number of token entities using single_table inheritance. Using this strategy I can store various types of security tokens for a user. So I figured I might as well add remember me tokens to this as well as opposed to Symfony's standalone table.

This requires me to write a custom RememberMeHandler which is fine; I can get the tokens from wherever I want with this method. However, as the remember me tokens are now directly associated to my user entities I no longer need to have a user identifier stored in the cookie. All I need are the token, timestamp and a signature.

Currently this, along with any other changes one may or may not want to make to the contents of the cookie, isn't possible to make without a completely custom authenticator as this is hard-coded in Symfony.
To make this possible I would need to be able to use my own implementation of a RememberMeDetails class which isn't dependent on a user identifier being present, and being able to use a custom RememberMeHandler to retrieve the user identifier based on the provided RememberMeDetails class.

With this, in addition to changing what is stored in the cookie beyond the token and timestamp, you could even do things like change how it's stored in the cookie, if for some reason you want to change something there.

I would like to ask if there's any interest in a feature like this, and if anyone has any comments.
Should there be any demand, I can try to make an example.

Example

Eample Interface

interface RememberMeDetailsInterface
{
    // from* methods used would be dependent on the actual implementation so aren't defined here.
    public function getExpires(): int;
    public function getValue(): string;
    public function toString(): string;
}

Example RememberMeHandler

class MyRememberMeHandler extends AbstractRememberMeHandler
{
    // ...
    
    // Use an interface instead for this and other methods
    public function processRememberMe(RememberMeDetailsInterface $rememberMeDetails, UserInterface $user): void
    {
        // ...
    }
    
    // Maybe it could also return a UserInterface directly to prevent having to retrieve the user
    // from persistence more than once?
    public function getUserIdentifierForCookie(RememberMeDetailsInterface $rememberMeDetails): string
    {
        // As an example of retrieving the user identifier directly from the cookie like it currently does.
        /** @var MyRememberMeDetails $rememberMeDetails */
        return $rememberMeDetails->getUserIdentifier();
    }
    
    // This would only be need to be defined when actually changing the used class
    public static function getDetailsClassName(): string
    {
        return MyRememberMeDetails::class;
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    SecurityStalled

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions