How do I delete the remember_me cookie when I log out?-CodePudding

I am currently using symfony 5.4 and i wanted to understand how to remove the REMEMBERME server side

I am trying to set the delete_cookies parameter in the security.yaml under the logout:

        main:
            lazy: true
            provider: app_user_provider
            switch_user: true
            form_login:
                login_path: app_login
                check_path: app_login
            remember_me:
                secret: '%kernel.secret%'
                lifetime: 604800 # 1 week in seconds
                secure: true
            logout:
                path: app_logout
                delete_cookies:
                    REMEMBERME: { path: null, domain: null}

but in the same way if with postman I redo a call in a protected route by putting only the REMEMBERME cookie, even without being logged in, it shows me the protected route ... in this way if someone manages to intercept a REMEMBERME of any connected user they can access the system ...

CodePudding user response：

There are 2 ways Remember Me Cookies can work. See the Symfony docs for token storage

Signature based tokens By default, the remember me cookie contains a signature based on properties of the user. If the properties change, the signature changes and already generated tokens are no longer considered valid.
Persistent tokens Persistent tokens store any generated token (e.g. in a database). This allows you to invalidate tokens by changing the rows in the database.

Persistent tokens are probably more secure as you can invalidate the tokens via the database at any time you like. In your case you can invalidate the token on logout.

However, you can still invalidate Signature based tokens by using signature_properties under your remember_me firewall.

# config/packages/security.yaml
security:
    # ...

    firewalls:
        main:
            # ...
            remember_me:
                secret: '%kernel.secret%'
                # ...
                signature_properties: ['password', 'updatedAt']

You could for example create a new field in your User Entity eg. rememberMeKey generating a random 16 digit code for example.

bin2hex(random_bytes(8));

Then add it to the signature_properties like this signature_properties: ['password', 'updatedAt', 'rememberMeKey'].

Now when you would like to invalidate it you can just re-generate a new code for that property in your User Entity, in your case when the user logs out.