I am currently using symfony 5.4 and i wanted to understand how to remove the REMEMBERME server side
I am trying to set the delete_cookies
parameter in the security.yaml
under the logout
:
main:
lazy: true
provider: app_user_provider
switch_user: true
form_login:
login_path: app_login
check_path: app_login
remember_me:
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
secure: true
logout:
path: app_logout
delete_cookies:
REMEMBERME: { path: null, domain: null}
but in the same way if with postman I redo a call in a protected route by putting only the REMEMBERME cookie, even without being logged in, it shows me the protected route ... in this way if someone manages to intercept a REMEMBERME of any connected user they can access the system ...
CodePudding user response:
There are 2 ways Remember Me Cookies can work. See the Symfony docs for token storage
Signature based tokens By default, the remember me cookie contains a signature based on properties of the user. If the properties change, the signature changes and already generated tokens are no longer considered valid.
Persistent tokens Persistent tokens store any generated token (e.g. in a database). This allows you to invalidate tokens by changing the rows in the database.
Persistent tokens are probably more secure as you can invalidate the tokens via the database at any time you like. In your case you can invalidate the token on logout.
However, you can still invalidate Signature based tokens by using signature_properties under your remember_me firewall.
# config/packages/security.yaml
security:
# ...
firewalls:
main:
# ...
remember_me:
secret: '%kernel.secret%'
# ...
signature_properties: ['password', 'updatedAt']
You could for example create a new field in your User Entity eg. rememberMeKey
generating a random 16 digit code for example.
bin2hex(random_bytes(8));
Then add it to the signature_properties like this signature_properties: ['password', 'updatedAt', 'rememberMeKey']
.
Now when you would like to invalidate it you can just re-generate a new code for that property in your User Entity, in your case when the user logs out.