-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Make token regeneration optional during autologin session renewal #11299
API Make token regeneration optional during autologin session renewal #11299
Conversation
Prefer-lowest CI failure is unrelated to this PR. |
src/Security/MemberAuthenticator/CookieAuthenticationHandler.php
Outdated
Show resolved
Hide resolved
30de8ec
to
9136112
Compare
Resolves silverstripe#11281. Renewing the token/hash during an active session can trigger a logout in the event of request failures or simultaneous requests. This also marks the renew method as deprecated, to be removed entirely in 6.0.
9136112
to
724e813
Compare
$this->Hash = $hash; | ||
} | ||
|
||
$this->extend('onAfterRenewToken', $replaceToken); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@GuySartorelli Just considering how we'll handle this extension point once we drop the method; My current thought is that we shift the call-site up to CookieAuthenticationHandler::authenticateRequest()
, but still have it be an extension of RememberLoginHash
(possibly with a tweaked name to reflect that the token itself is not being renewed.)
There's precedent in the authenticateRequest()
method for calling an extension point externally on an object instance (see the $member->extend('memberAutoLoggedIn');
call) but not sure if this falls within our general best practices?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't the idea with deprecating and eventually removing the renew()
method that there will be no renewal necessary? If we don't renew the token, we don't need to have a onAfterRenewToken
extension hook, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
Renewing the token/hash during an active session can trigger a logout in the event of request failures or simultaneous requests. This PR makes the regeneration logic optional, though still enabled by default, and ensures a new cookie is only transmitted to the client if the token is regenerated.
This also marks the renew method as deprecated, to be removed entirely in 6.0. There's an extension point in this method that the Login Session module relies on to correctly augment session data, so this will need to be moved.
NOTE: There's a
$this->write()
call inRememberLoginHash::renew()
that follows the extension point, which I've intentionally left intact regardless of the new configuration setting. The likelihood that a project/module is relying on this write is extremely low, but not zero.Manual testing steps
alc_enc
cookie does not changeIssues
Pull request checklist