niftycent.com
NiftyCent
FR
Connexion
Marketplace
Réductions

CVE-2021-41268: Remember me cookie persistance after password changes

Description

Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password.

Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie.

Resolution

Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore.

The patch for this issue is available here for branch 5.3.

Credits

We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41268-remember-me-cookie-persistance-after-password-changes?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Établi 4y | 24 nov. 2021, 09:20:07


Connectez-vous pour ajouter un commentaire

Autres messages de ce groupe

Case study: Modernizing Audi France’s Digital Ecosystem with Symfony 6
Case study: Modernizing Audi France’s Digital Ecosystem with Symfony 6

At Wide, Micropole’s digital agency, they help leading brands modernize their digital infrastructures while ensuring scalability, security, and performance. When Audi France approached them to migrate

4 juil. 2025, 09:40:14 | Symfony
Case study: A Long-Term Powerhouse Behind Vente-unique.com's E-Commerce Success (Zero Churn, All Wins!)
Case study: A Long-Term Powerhouse Behind Vente-unique.com's E-Commerce Success (Zero Churn, All Wins!)

Vente-unique.com, a leading European online retailer of furniture and home decor, operates in 11 countries, powered by a team of 400 professionals and serving more than 3 million customers. From 15 ye

2 juil. 2025, 09:10:03 | Symfony
A Week of Symfony #965 (June 23–29, 2025)
A Week of Symfony #965 (June 23–29, 2025)

This week, Symfony 6.4.23, 7.2.8 and 7.3.1 maintenance versions were released. Meanwhile, the upcoming Symfony 7.4 version continued adding new features such as better controller helpers, more precisi

29 juin 2025, 09:10:15 | Symfony
Symfony 6.4.23 released
Symfony 6.4.23 released

Symfony 6.4.23 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in you

28 juin 2025, 09:50:15 | Symfony
Symfony 7.2.8 released
Symfony 7.2.8 released

Symfony 7.2.8 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your

28 juin 2025, 09:50:15 | Symfony
Symfony 7.3.1 released
Symfony 7.3.1 released

Symfony 7.3.1 has just been released. Read the Symfony upgrade guide to learn more about upgrading Symfony and use the SymfonyInsight upgrade reports to detect the code you will need to change in your

28 juin 2025, 09:50:14 | Symfony
A Week of Symfony #964 (June 16–22, 2025)
A Week of Symfony #964 (June 16–22, 2025)

This week, development activity was intense, with many bug fixes in the maintained branches, numerous deprecation removals in the 8.0 branch, and new features added to the 7.4 branch, including tighte

22 juin 2025, 08:10:05 | Symfony
Techie
Techie