Signing cookies problem

[cordoval]

With configuration:

nelmio_security:
    # signs/verifies all cookies
    signed_cookie:
        names: ['symfony', 'two_factor_trusted_computer']

I get my system cannot login anymore for any user. Is there a requirement for this?

symfony configuration:

framework:
    #esi:             ~
    secret:          "%secret%"
    router:
        resource: "%kernel.root_dir%/config/routing.yml"
        strict_requirements: ~
    form: ~
    csrf_protection: ~
    validation:      { enable_annotations: false }
    translator:
        enabled: false
    templating:
        engines: ['twig', 'php']
    assets: false
    default_locale:  "%locale%"
    trusted_hosts:   ~
    session:
        name: "symfony"
        handler_id:  snc_redis.session.handler
    fragments:       ~
    http_method_override: true
    ide: "phpstorm://open?file=%%f&line=%%l"

[ndench]

I'm experiencing this problem too, as soon as I enable signed cookies, it's impossible to login.

[fkrauthan]

Anyone knows a work around so that I can use cookie signing with login working?

[Ulv]

Same problem here

[MichaelKubovic]

Debugging SignedCookieListener it seems that the session cookie generated by PHP is missing from the Request object. A workaround is to whitelist cookie names that you wish to sign, leaving the session cookie out.

[I-Valchev]

Any ideas what's the best way to fix this, while keeping the signed cookie option? @romainneutron Thanks!

[phiamo]

+1 i am experiencing the same ... enabling signed cookies, breaks the login somehow

[janklan]

TL;DR: do not use nelmio_security.signed_cookie.names: ['*'] to prevent the session cookie from being part of the signing process.

---

I tracked the problem to the fact that the session cookie is not being signed.

First: SignedCookieListener removes cookies that fail the signature check from the request: https://github.com/nelmio/NelmioSecurityBundle/blob/master/EventListener/SignedCookieListener.php#L60

Next step: SignedCookieListener only signs cookies that are part of the Response object: https://github.com/nelmio/NelmioSecurityBundle/blob/master/EventListener/SignedCookieListener.php#L85

Moving on: Instead of creating the cookie directly, for instance, using setcookie(), you'd need to inject the cookie in your Response. The code below lives in a controller.

$response = new Response();
$response->headers->setCookie(new Cookie('foo', 'bar'.time()));
return $response;

After this, you should see a cookie called foo, with a value barLONG-HASH-WHICH-IS-THE-SIGNATURE. At this point you should notice the session cookie has no signature - just the session ID. That's your problem.

Last piece of the puzzle: if you're using the default Symfony configuration, you probably use the native session storage: framework.session.storage_factory_id: session.storage.factory.native. The NativeSessionStorage is not aware of your Response object. It just builds the cookie string and pushes it out to the browser directly, using header() function: https://github.com/symfony/http-foundation/blob/5.3/Session/Storage/NativeSessionStorage.php#L161

---

At least that's my understanding of what's wrong.
I assume you could build Response-aware session storage to make use of the Response object. That is, of course, if you're happy with starting the session late in the request lifecycle, which you are probably not. I think I just nailed the reason why is the NativeSessionStorage creating the cookie directly.

I'll pop this problem into the ever-growing "too-hard basket" and result in other session-related security hardening measures.

Suppose you want to use the cookie signature, set up a companion (signed) cookie that lives alongside the session cookie, with the value matching the session cookie. If the two values diverge or the companion cookie signature fails, terminate the session and log it as a security incident.

Not ideal, but it should work.