Skip to content

[Security] Deprecate PersistentToken::getClass() and RememberMeDetails::getUserFqcn() in order to remove the user FQCN from the remember-me cookie in 8.0 #61654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 10, 2025
Merged

[Security] Deprecate PersistentToken::getClass() and RememberMeDetails::getUserFqcn() in order to remove the user FQCN from the remember-me cookie in 8.0 #61654

merged 1 commit into from
Sep 10, 2025

Conversation

@nicolas-grekas
Copy link
Member

@nicolas-grekas nicolas-grekas commented Sep 4, 2025
edited
Loading

Q A
Branch? 7.4
Bug fix? no
New feature? no
Deprecations? yes
Issues #42349
License MIT

Instead of #59232

Having the user FQCN in the remember-me cookie leaks internal details that are not needed.

In the end userProvider->loadUserByIdentifier() is called, so that there's not need to early-exclude a cookie that's otherwise valid - and that's the only practical use case.

@carsonbot carsonbot added this to the 7.4 milestone Sep 4, 2025
@nicolas-grekas nicolas-grekas mentioned this pull request Sep 4, 2025
Closed
@nicolas-grekas nicolas-grekas force-pushed the sec-rme-fqcn branch 6 times, most recently from 0e8e2d5 to 53cdf23 Compare September 8, 2025 11:54
@nicolas-grekas
[Security] Deprecate PersistentToken::getClass() and `RememberMeDet…
5c07c91 
…ails::getUserFqcn()` in order to remove the user FQCN from the remember-me cookie in 8.0
@fabpot
Copy link
Member

fabpot commented Sep 10, 2025

Thank you @nicolas-grekas.

@fabpot fabpot merged commit 236b078 into symfony:7.4 Sep 10, 2025
9 of 12 checks passed
@fabpot fabpot mentioned this pull request Sep 10, 2025
Closed
@nicolas-grekas nicolas-grekas deleted the sec-rme-fqcn branch September 10, 2025 12:12
@xabbuh xabbuh mentioned this pull request Sep 13, 2025
Merged
nicolas-grekas added a commit that referenced this pull request Sep 15, 2025
@nicolas-grekas
feature #61743 [Security] deprecate the FQCN properties of `Persisten…
5eae900 
…tToken` and `RememberMeDetails` (xabbuh)

This PR was merged into the 7.4 branch.

Discussion
----------

[Security] deprecate the FQCN properties of `PersistentToken` and `RememberMeDetails`

| Q             | A
| ------------- | ---
| Branch?       | 7.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes
| Issues        |
| License       | MIT

while cleaning up the `8.0` branch from the deprecations introduced in #61654 I wondered if we shouldn't also deprecate passing the user FQCN to `PersistentToken` and `RememberMeDetails` in the first place

Commits
-------

0e733fd deprecate the FQCN properties of PersistentToken and RememberMeDetails
This was referenced Oct 27, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabpot fabpot fabpot approved these changes

@alexandre-daubois alexandre-daubois alexandre-daubois approved these changes

@chalasr chalasr chalasr approved these changes

Assignees

No one assigned

Labels

Deprecation Security Status: Reviewed

Projects

None yet

Milestone

7.4

Development

Successfully merging this pull request may close these issues.

5 participants

@nicolas-grekas @fabpot @alexandre-daubois @chalasr @carsonbot