Remember Me functionality fails when renewal is interrupted about silverstripe-framework HOT 8 OPEN

It's not likely anyone will ever bother applying the change in their projects though - so if we think that the new behaviour is better, we should probably have it be the behaviour in CMS 6.

from silverstripe-framework.

@Cheddam if no one replies in say a week or so, feel free to raise a PR and we can proceed from there.

from silverstripe-framework.

With Option 1, there'd still only be one RememberLoginHash entry per autologin. With Option 2, there would be multiple valid hashes, but we'd potentially mark outdated ones and significantly shorten their expiry. I haven't fully explored the implementation details yet, as I'm hoping we can just go with Option 1.

There's a range of potential triggers for the response not getting to the browser - a user double-clicking a link, multiple tabs of the same site rehydrating when a user reopens their browser, a user going through a tunnel and spamming refresh, a SPA firing off multiple asynchronous API requests to update the UI (this one may not trigger a full logout as the new value would still reach the browser, but could still trigger a failure in other requests sent before the new cookies arrived.)

One more wrinkle that we'd need to account for in Option 2 is if multiple requests resolve and successfully relay new cookies to the browser, but the responses are out of order, resulting in now-outdated cookies being set. (I really think Option 1 is going to be the best path forward.)

from silverstripe-framework.

Yup, new configuration properties are new public API, so should be included in a minor release.

from silverstripe-framework.

Can confirm both from the actual src code and the tests of the laravel implementation that they don't cycle the token except to set it during initial login (and if it's missing) and to remove it when logging out.

I'd say that's the way to go.

It does look like Syfony cycles it (if it hadn't already been cycled in the last minute):
https://github.com/symfony/symfony/blob/a86c96a85931f98e1ba6275629c3fcc268990527/src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeHandler.php#L47-L56

https://github.com/symfony/symfony/blob/a86c96a85931f98e1ba6275629c3fcc268990527/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php#L91-L100

So I'm not sure if they have similar issues to what this issue describes.

from silverstripe-framework.

If an attacker can steal the alc_enc cookie, they can also steal the SECSESSID cookie, and they will likely exploit it while it is fresh regardless.

That does depend on whether they have a reliable attack method that they can repeat, or if it's once-off. If it's once-off, then cycling alc_enc will stop them from being able to access your account even if they have the main session cookie. So it is slightly more secure to keep cycling that, I think? I dunno.

Given Laravel doesn't bother with it I'm inclined to accept that it's not doing a lot of good, but I'd like other opinions from @silverstripe/core-team if anyone has one.

from silverstripe-framework.

Removing the recycling of these would result in many more entries in the RememberLoginHash table, no? Or would you just expect the original hash to just live forever so you'd still only have one per device per Member?

I'm not sure I really see the use case for removing the existing functionality myself - sounds like this was a transient network issue that caused a request to be sent and processed but the HTTP response was not received by the browser so they never found out about the new alc_enc cookie? Without adding your sleep, how reproducible is it? Is it solving any other problem to remove this?

Agree that the rotation itself doesn't really achieve very much - as long as you're running over HTTPS you should be pretty safe from attack and/or the SECSESSID cookie is of more immediate value.

from silverstripe-framework.

I'm working on a patch based on Option 1, making this configurable and retaining the current behaviour by default.

My gut feeling is that structuring it as configuration constitutes a minor change rather than a patch, but happy to be convinced otherwise - any thoughts @GuySartorelli?

from silverstripe-framework.