[Security] Prevent canceled remember-me cookie from being accepted

chalasr · chalasr · commit f8ea473688c4 · 2020-01-06T22:59:17.000+01:00
diff --git a/RememberMe/AbstractRememberMeServices.php b/RememberMe/AbstractRememberMeServices.php
@@ -99,6 +99,10 @@ public function getSecret()
      */
     final public function autoLogin(Request $request)
     {
+        if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
+            return null;
+        }
+
         if (null === $cookie = $request->cookies->get($this->options['name'])) {
             return null;
         }
diff --git a/Tests/RememberMe/AbstractRememberMeServicesTest.php b/Tests/RememberMe/AbstractRememberMeServicesTest.php
@@ -39,6 +39,17 @@ public function testAutoLoginReturnsNullWhenNoCookie()
         $this->assertNull($service->autoLogin(new Request()));
     }
 
+    public function testAutoLoginReturnsNullAfterLoginFail()
+    {
+        $service = $this->getService(null, ['name' => 'foo', 'path' => null, 'domain' => null]);
+
+        $request = new Request();
+        $request->cookies->set('foo', 'foo');
+
+        $service->loginFail($request);
+        $this->assertNull($service->autoLogin($request));
+    }
+
     /**
      * @group legacy
      */

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,10 @@ public function getSecret()`
`99`	`99`	`*/`
`100`	`100`	`final public function autoLogin(Request $request)`
`101`	`101`	`{`
	`102`	`+ if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {`
	`103`	`+ return null;`
	`104`	`+ }`
	`105`	`+`
`102`	`106`	`if (null === $cookie = $request->cookies->get($this->options['name'])) {`
`103`	`107`	`return null;`
`104`	`108`	`}`