Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing cookies problem #154

Open
cordoval opened this issue Jul 29, 2017 · 9 comments · May be fixed by #315
Open

Signing cookies problem #154

cordoval opened this issue Jul 29, 2017 · 9 comments · May be fixed by #315

Comments

@cordoval
Copy link

cordoval commented Jul 29, 2017
edited
Loading

With configuration:

nelmio_security:
    # signs/verifies all cookies
    signed_cookie:
        names: ['symfony', 'two_factor_trusted_computer']

I get my system cannot login anymore for any user. Is there a requirement for this?

symfony configuration:

framework:
    #esi:             ~
    secret:          "%secret%"
    router:
        resource: "%kernel.root_dir%/config/routing.yml"
        strict_requirements: ~
    form: ~
    csrf_protection: ~
    validation:      { enable_annotations: false }
    translator:
        enabled: false
    templating:
        engines: ['twig', 'php']
    assets: false
    default_locale:  "%locale%"
    trusted_hosts:   ~
    session:
        name: "symfony"
        handler_id:  snc_redis.session.handler
    fragments:       ~
    http_method_override: true
    ide: "phpstorm://open?file=%%f&line=%%l"
@ndench
Copy link

ndench commented Aug 15, 2018

I'm experiencing this problem too, as soon as I enable signed cookies, it's impossible to login.

@fkrauthan
Copy link

Anyone knows a work around so that I can use cookie signing with login working?

@Ulv
Copy link

Ulv commented Jun 27, 2019

Same problem here

@MichaelKubovic
Copy link

Debugging SignedCookieListener it seems that the session cookie generated by PHP is missing from the Request object. A workaround is to whitelist cookie names that you wish to sign, leaving the session cookie out.

@I-Valchev
Copy link

Any ideas what's the best way to fix this, while keeping the signed cookie option? @romainneutron Thanks!

@I-Valchev I-Valchev mentioned this issue Mar 8, 2021
Closed
@phiamo
Copy link

phiamo commented Mar 10, 2021
edited
Loading

+1 i am experiencing the same ... enabling signed cookies, breaks the login somehow

@janklan
Copy link

janklan commented Aug 30, 2021
edited
Loading

TL;DR: do not use nelmio_security.signed_cookie.names: ['*'] to prevent the session cookie from being part of the signing process.

I tracked the problem to the fact that the session cookie is not being signed.

First: SignedCookieListener removes cookies that fail the signature check from the request: https://github.com/nelmio/NelmioSecurityBundle/blob/master/EventListener/SignedCookieListener.php#L60

Next step: SignedCookieListener only signs cookies that are part of the Response object: https://github.com/nelmio/NelmioSecurityBundle/blob/master/EventListener/SignedCookieListener.php#L85

Moving on: Instead of creating the cookie directly, for instance, using setcookie(), you'd need to inject the cookie in your Response. The code below lives in a controller.

$response = new Response();
$response->headers->setCookie(new Cookie('foo', 'bar'.time()));
return $response;

After this, you should see a cookie called foo, with a value barLONG-HASH-WHICH-IS-THE-SIGNATURE. At this point you should notice the session cookie has no signature - just the session ID. That's your problem.

Last piece of the puzzle: if you're using the default Symfony configuration, you probably use the native session storage: framework.session.storage_factory_id: session.storage.factory.native. The NativeSessionStorage is not aware of your Response object. It just builds the cookie string and pushes it out to the browser directly, using header() function: https://github.com/symfony/http-foundation/blob/5.3/Session/Storage/NativeSessionStorage.php#L161

At least that's my understanding of what's wrong.
I assume you could build Response-aware session storage to make use of the Response object. That is, of course, if you're happy with starting the session late in the request lifecycle, which you are probably not. I think I just nailed the reason why is the NativeSessionStorage creating the cookie directly.

I'll pop this problem into the ever-growing "too-hard basket" and result in other session-related security hardening measures.

Suppose you want to use the cookie signature, set up a companion (signed) cookie that lives alongside the session cookie, with the value matching the session cookie. If the two values diverge or the companion cookie signature fails, terminate the session and log it as a security incident.

Not ideal, but it should work.

@peter17 peter17 mentioned this issue Jun 3, 2022
Open
@GwendolenLynch GwendolenLynch linked a pull request Sep 3, 2022 that will close this issue
Open
@DavidPetrasek
Copy link

DavidPetrasek commented Feb 24, 2025
edited
Loading

I've spent hours to solve my problem with login. Really big headaches.
Please update the docs. Add a warning to all names: ['*'] like this:
names: ['*'] # Beware: Login won't work.

@DavidPetrasek
Copy link

Here's the PR to update the docs: #368

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes for cookie signing GwendolenLynch/NelmioSecurityBundle
9 participants
@phiamo @cordoval @Ulv @MichaelKubovic @fkrauthan @ndench @janklan @I-Valchev @DavidPetrasek