bug #40972 Avoid regenerating the remember me token if it is still fresh (Seldaek)

fabpot · fabpot · commit 1c477c6701f8 · 2021-05-07T08:38:01.000+02:00
This PR was merged into the 5.3-dev branch. Discussion ---------- Avoid regenerating the remember me token if it is still fresh | Q | A | ------------- | --- | Branch? | 5.x | Bug fix? | ~yes | New feature? | no? | Deprecations? | no | Tickets | Refs symfony/symfony#40971 | License | MIT | Doc PR |  Please see symfony/symfony#40971 for more information about the context of this change. As it was discussed in symfony/symfony#18384 - regenerating the remember me token/cookie is done to avoid old cookies being stolen and reused, this is a valid concern (although cookie theft is much harder these days with httpOnly and secure flags) and a good security practice, but if the token was refreshed very recently it seems a bit overkill to refresh it again, it leads to more DB writes, and for us who are trying to support concurrent re-authenticating requests it is causing further problems if every request triggers a new token update. I'd be happy to also update this in the old PersistentTokenBasedRememberMeServices if needed, but I find that it is perhaps better to just do this in the new auth system as it was until 5.3 considered experimental. Commits ------- a942b5f684 Avoid regenerating the remember me token if it is still fresh
diff --git a/RememberMe/PersistentRememberMeHandler.php b/RememberMe/PersistentRememberMeHandler.php
@@ -74,8 +74,12 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
             throw new AuthenticationException('The cookie has expired.');
         }
 
-        $tokenValue = base64_encode(random_bytes(64));
-        $this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
+        // if a token was regenerated less than a minute ago, there is no need to regenerate it
+        // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
+        if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
+            $tokenValue = base64_encode(random_bytes(64));
+            $this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
+        }
 
         $this->createCookie($rememberMeDetails->withValue($tokenValue));
     }

Original file line number	Diff line number	Diff line change
`@@ -74,8 +74,12 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte`
`74`	`74`	`throw new AuthenticationException('The cookie has expired.');`
`75`	`75`	`}`
`76`	`76`
`77`		`- $tokenValue = base64_encode(random_bytes(64));`
`78`		`- $this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());`
	`77`	`+ // if a token was regenerated less than a minute ago, there is no need to regenerate it`
	`78`	`+ // if multiple concurrent requests reauthenticate a user we do not want to update the token several times`
	`79`	`+ if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {`
	`80`	`+ $tokenValue = base64_encode(random_bytes(64));`
	`81`	`+ $this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());`
	`82`	`+ }`
`79`	`83`
`80`	`84`	`$this->createCookie($rememberMeDetails->withValue($tokenValue));`
`81`	`85`	`}`