Using Symfony’s “RememberMe”? You Better Read This
Keep your users safe and your system secure
Are you using the well-known Symfony Security feature called “Remember me” ? When a user authenticates to your application, he can select the “remember me” checkbox to become logged in for longer.
This feature is powerful yet dead simple. During the log-in process, the user receives an additional cookie called “REMEMBERME” with an expiration date of one year.
If the session cookie is missing and the remember cookie exists and the user didn’t change his password, the user gets authenticated automatically.
Can you spot the danger associated with this feature? Think about it for a moment.
Digital identity theft
The problem is with the cookie’s longevity. This cookie is the golden key to getting inside your application. Let’s talk for a moment about digital identity theft.
Are you aware that somebody can steal your browser cookies? This can be done in several ways, including: