Skip to content

[Security-HTTP] Type mismatch between TokenBasedRememberMeServices and UserInterface #35477

@ckrack

Description

@ckrack

Symfony version(s) affected: 5.0.0

Description
The interface of TokenBasedRememberMeServices::generateCookieValue() expects username and password to be string.

UserInterface and User from Security-Core have unmatching signatures.
In UserInterface there are no defined return types, only phpdocs for string|null in case of getPassword() and string in case of getUserName()
These mismatch with what the TokenBasedRememberMeServices expect.

How to reproduce
I experience this with code losely based on the example from KnpUniversity\Oauth2ClientBundle.
I'm using a User class which returns null in getPassword().

Possible Solution
The signature and expectations should be aligned, either by enforcing string throughout the UserInterface and User class or by allowing null in TokenBasedRememberMeServices::generateCookieValue() and a typecast inside generateCookieHash .

I'm not sure, but I think it's a security issue to allow remember-me with users that do not have passwords (the hash will only be based on class, username and expires). If it is, this should be clarified in the docs and there must be a more meaningful exception when the password is null or an empty string.
Or, to degrade gracefully, the cookie should not be set, when the password is empty.

Additional context

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions