niftycent.com
NiftyCent
US
Login
Marketplace
Discounts

CVE-2021-41268: Remember me cookie persistance after password changes

Description

Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password.

Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie.

Resolution

Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore.

The patch for this issue is available here for branch 5.3.

Credits

We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.

                Sponsor the Symfony project.

https://symfony.com/blog/cve-2021-41268-remember-me-cookie-persistance-after-password-changes?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Created 4y | Nov 24, 2021, 9:20:07 AM


Login to add comment

Other posts in this group

SymfonyOnline June 2025: Speakers, Stats & Replays!
SymfonyOnline June 2025: Speakers, Stats & Replays!

Thank you for joining us at SymfonyOnline June 2025!

What a great edition of SymfonyOnline we’ve just wrapped up! 🎉

We were thrilled to welcome 300 participants from 35 different countries—a

Jun 18, 2025, 8:50:17 AM | Symfony
A Week of Symfony #963 (June 9–15, 2025)
A Week of Symfony #963 (June 9–15, 2025)

This week, Symfony celebrated the SymfonyOnline June 2025 conference with great success. Meanwhile, development efforts focused on improving invokable commands for the upcoming Symfony 7.4 version. Th

Jun 15, 2025, 9:10:09 AM | Symfony
A Week of Symfony #962 (June 2–8, 2025)
A Week of Symfony #962 (June 2–8, 2025)

This week, development activity focused on the upcoming Symfony 7.4 and 8.0 versions, which will deprecate and remove many features. In addition, we published a case study about Yousign. Finally, we'r

Jun 8, 2025, 7:50:05 AM | Symfony
Case study - Yousign: Scaling Trust with Smart, Scalable Architecture
Case study - Yousign: Scaling Trust with Smart, Scalable Architecture

As digital signatures become the norm in modern business, Yousign has established itself as a trusted leader across Europe. Behind its simple, intuitive interface is a powerful technical engine, handl

Jun 6, 2025, 7:10:24 AM | Symfony
SymfonyOnline June 2025 starts next week!
SymfonyOnline June 2025 starts next week!

Get ready for the exciting SymfonyOnline June 2025, kicking off in a few days only! There’s still time to register and join the international online Symfony conference—along with pre-conferenc

Jun 5, 2025, 10:20:09 AM | Symfony
A Week of Symfony #961 (May 26 – June 1, 2025)
A Week of Symfony #961 (May 26 – June 1, 2025)

This week, Symfony released the stable version of Symfony 7.3, which includes lots of amazing new features. We also published the maintenance versions 6.4.22 and 7.2.7.

Symfony development highlights

Jun 1, 2025, 8:50:16 AM | Symfony
New in Symfony 7.3: DX Improvements (part 2)
New in Symfony 7.3: DX Improvements (part 2)

This is the second part of the blog post showcasing the main DX (developer experience) features introduced in Symfony 7.3. Read the first part of this blog post.

Verify URI Signatures… https://symfon

May 29, 2025, 9:10:19 AM | Symfony
Techie
Techie