Comments (8)
It's not likely anyone will ever bother applying the change in their projects though - so if we think that the new behaviour is better, we should probably have it be the behaviour in CMS 6.
from silverstripe-framework.
@Cheddam if no one replies in say a week or so, feel free to raise a PR and we can proceed from there.
from silverstripe-framework.
With Option 1, there'd still only be one RememberLoginHash
entry per autologin. With Option 2, there would be multiple valid hashes, but we'd potentially mark outdated ones and significantly shorten their expiry. I haven't fully explored the implementation details yet, as I'm hoping we can just go with Option 1.
There's a range of potential triggers for the response not getting to the browser - a user double-clicking a link, multiple tabs of the same site rehydrating when a user reopens their browser, a user going through a tunnel and spamming refresh, a SPA firing off multiple asynchronous API requests to update the UI (this one may not trigger a full logout as the new value would still reach the browser, but could still trigger a failure in other requests sent before the new cookies arrived.)
One more wrinkle that we'd need to account for in Option 2 is if multiple requests resolve and successfully relay new cookies to the browser, but the responses are out of order, resulting in now-outdated cookies being set. (I really think Option 1 is going to be the best path forward.)
from silverstripe-framework.
Yup, new configuration properties are new public API, so should be included in a minor release.
from silverstripe-framework.
Can confirm both from the actual src code and the tests of the laravel implementation that they don't cycle the token except to set it during initial login (and if it's missing) and to remove it when logging out.
I'd say that's the way to go.
It does look like Syfony cycles it (if it hadn't already been cycled in the last minute):
https://github.com/symfony/symfony/blob/a86c96a85931f98e1ba6275629c3fcc268990527/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeHandler.php#L47-L56
So I'm not sure if they have similar issues to what this issue describes.
from silverstripe-framework.
If an attacker can steal the
alc_enc
cookie, they can also steal theSECSESSID
cookie, and they will likely exploit it while it is fresh regardless.
That does depend on whether they have a reliable attack method that they can repeat, or if it's once-off. If it's once-off, then cycling alc_enc
will stop them from being able to access your account even if they have the main session cookie. So it is slightly more secure to keep cycling that, I think? I dunno.
Given Laravel doesn't bother with it I'm inclined to accept that it's not doing a lot of good, but I'd like other opinions from @silverstripe/core-team if anyone has one.
from silverstripe-framework.
Removing the recycling of these would result in many more entries in the RememberLoginHash
table, no? Or would you just expect the original hash to just live forever so you'd still only have one per device per Member
?
I'm not sure I really see the use case for removing the existing functionality myself - sounds like this was a transient network issue that caused a request to be sent and processed but the HTTP response was not received by the browser so they never found out about the new alc_enc
cookie? Without adding your sleep
, how reproducible is it? Is it solving any other problem to remove this?
Agree that the rotation itself doesn't really achieve very much - as long as you're running over HTTPS you should be pretty safe from attack and/or the SECSESSID
cookie is of more immediate value.
from silverstripe-framework.
I'm working on a patch based on Option 1, making this configurable and retaining the current behaviour by default.
My gut feeling is that structuring it as configuration constitutes a minor change rather than a patch, but happy to be convinced otherwise - any thoughts @GuySartorelli?
from silverstripe-framework.
Related Issues (20)
- Session based GridField state management HOT 8
- SPIKE: Investigate ways to get configurable cache adapter prior to loading config HOT 3
- Make extension hook methods protected - part 2
- Migrate from m1/env to symfony/dotenv
- Refactor shortcode parsing HOT 2
- Move `ViewableData::Me()` out of `ViewableData` and into the template layer
- Better casting in `ViewableData`
- Default to session gridifield state manager in CMS 6
- text collector doesn't collect when parameters are passed as a variable HOT 3
- SearchableDropdownTrait::getSource doesn't respect lazy-loading HOT 5
- SQLSelect regression with subqueries HOT 6
- Deprecated getIterator function called in SSViewer_Scope HOT 2
- Permission check for 'Not strict check' is wrong AFAIK HOT 5
- SearchableDropdownTrait::saveInto calls DataObject::write HOT 4
- Sake script failure when PHP binary path contains spaces in SilverStripe 5.2.2 HOT 1
- Drop support for MySQL 5 in CMS 6
- `performReadonlyTransformation()` for `SearchableDropdownField` and `SearchableMultiDropdownField` doesn't respect lazy loading HOT 4
- DBForeignKey scaffolding uses wrong parameters to create SearchableDropdownField HOT 1
- HTMLValue setContent preg_replace stripping <header> tags HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from silverstripe-framework.