feature #61760 [Security] remove the user FQCN from remember me cookies (xabbuh)

fabpot · fabpot · commit 577f30b20b07 · 2025-09-19T12:32:41.000+02:00
This PR was merged into the 8.0 branch. Discussion ---------- [Security] remove the user FQCN from remember me cookies | Q | A | ------------- | --- | Branch? | 8.0 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | | License | MIT Commits ------- 56b95da remove the user FQCN from remember me cookies
diff --git a/UPGRADE-8.0.md b/UPGRADE-8.0.md
@@ -361,6 +361,8 @@ Routing
 Security
 --------
 
+ * Remove `PersistentTokenInterface::getClass()` and `RememberMeDetails::getUserFqcn()`
+ * Remove the user FQCN from the remember-me cookie
  * Remove `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`;
    erase credentials e.g. using `__serialize()` instead:
 
diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/InMemoryTokenProvider.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/InMemoryTokenProvider.php
@@ -38,12 +38,10 @@ public function updateToken(string $series, #[\SensitiveParameter] string $token
         }
 
         $token = new PersistentToken(
-            $this->tokens[$series]->getClass(false),
             $this->tokens[$series]->getUserIdentifier(),
             $series,
             $tokenValue,
             $lastUsed,
-            false
         );
         $this->tokens[$series] = $token;
     }
diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentToken.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentToken.php
@@ -18,61 +18,14 @@
  */
 final class PersistentToken implements PersistentTokenInterface
 {
-    private ?string $class = null;
-    private string $userIdentifier;
-    private string $series;
-    private string $tokenValue;
     private \DateTimeImmutable $lastUsed;
 
-    /**
-     * @param string             $userIdentifier
-     * @param string             $series
-     * @param string             $tokenValue
-     * @param \DateTimeInterface $lastUsed
-     */
     public function __construct(
-        $userIdentifier,
-        $series,
-        #[\SensitiveParameter] $tokenValue,
-        #[\SensitiveParameter] $lastUsed,
+        private string $userIdentifier,
+        private string $series,
+        #[\SensitiveParameter] private string $tokenValue,
+        \DateTimeInterface $lastUsed,
     ) {
-        if (\func_num_args() > 4) {
-            if (\func_num_args() < 6 || func_get_arg(5)) {
-                trigger_deprecation('symfony/security-core', '7.4', 'Passing a user FQCN to %s() is deprecated. The user class will be removed from the remember-me cookie in 8.0.', __CLASS__, __NAMESPACE__);
-            }
-
-            if (!\is_string($userIdentifier)) {
-                throw new \TypeError(\sprintf('Argument 1 passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
-            }
-
-            $this->class = $userIdentifier;
-            $userIdentifier = $series;
-            $series = $tokenValue;
-            $tokenValue = $lastUsed;
-
-            if (\func_num_args() <= 4) {
-                throw new \TypeError(\sprintf('Argument 5 passed to "%s()" must be an instance of "%s", the argument is missing.', __METHOD__, \DateTimeInterface::class));
-            }
-
-            $lastUsed = func_get_arg(4);
-        }
-
-        if (!\is_string($userIdentifier)) {
-            throw new \TypeError(\sprintf('The $userIdentifier argument passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
-        }
-
-        if (!\is_string($series)) {
-            throw new \TypeError(\sprintf('The $series argument  passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($series)));
-        }
-
-        if (!\is_string($tokenValue)) {
-            throw new \TypeError(\sprintf('The $tokenValue argument  passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($tokenValue)));
-        }
-
-        if (!$lastUsed instanceof \DateTimeInterface) {
-            throw new \TypeError(\sprintf('The $lastUsed argument  passed to "%s()" must be an instance of "%s", "%s" given.', __METHOD__, \DateTimeInterface::class, get_debug_type($lastUsed)));
-        }
-
         if ('' === $userIdentifier) {
             throw new \InvalidArgumentException('$userIdentifier must not be empty.');
         }
@@ -83,24 +36,9 @@ public function __construct(
             throw new \InvalidArgumentException('$tokenValue must not be empty.');
         }
 
-        $this->userIdentifier = $userIdentifier;
-        $this->series = $series;
-        $this->tokenValue = $tokenValue;
         $this->lastUsed = \DateTimeImmutable::createFromInterface($lastUsed);
     }
 
-    /**
-     * @deprecated since Symfony 7.4
-     */
-    public function getClass(bool $triggerDeprecation = true): string
-    {
-        if ($triggerDeprecation) {
-            trigger_deprecation('symfony/security-core', '7.4', 'The "%s()" method is deprecated: the user class will be removed from the remember-me cookie in 8.0.', __METHOD__);
-        }
-
-        return $this->class ?? '';
-    }
-
     public function getUserIdentifier(): string
     {
         return $this->userIdentifier;
diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentTokenInterface.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentTokenInterface.php
@@ -19,13 +19,6 @@
  */
 interface PersistentTokenInterface
 {
-    /**
-     * Returns the class of the user.
-     *
-     * @deprecated since Symfony 7.4, the user class will be removed from the remember-me cookie in 8.0
-     */
-    public function getClass(): string;
-
     /**
      * Returns the series.
      */
diff --git a/src/Symfony/Component/Security/Core/CHANGELOG.md b/src/Symfony/Component/Security/Core/CHANGELOG.md
@@ -4,6 +4,8 @@ CHANGELOG
 8.0
 ---
 
+ * Remove `PersistentTokenInterface::getClass()`
+ * Remove the user FQCN from the remember-me cookie
  * Remove `RememberMeToken::getSecret()`
  * Remove `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
    erase credentials e.g. using `__serialize()` instead
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/RememberMe/CacheTokenVerifierTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/RememberMe/CacheTokenVerifierTest.php
@@ -21,22 +21,22 @@ class CacheTokenVerifierTest extends TestCase
     public function testVerifyCurrentToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable(), false);
+        $token = new PersistentToken('user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());
         $this->assertTrue($verifier->verifyToken($token, 'value'));
     }
 
     public function testVerifyFailsInvalidToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable(), false);
+        $token = new PersistentToken('user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());
         $this->assertFalse($verifier->verifyToken($token, 'wrong-value'));
     }
 
     public function testVerifyOutdatedToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $outdatedToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable(), false);
-        $newToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'newvalue', new \DateTimeImmutable(), false);
+        $outdatedToken = new PersistentToken('user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());
+        $newToken = new PersistentToken('user', 'series1@special:chars=/', 'newvalue', new \DateTimeImmutable());
         $verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTimeImmutable());
         $this->assertTrue($verifier->verifyToken($newToken, 'value'));
     }
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/RememberMe/InMemoryTokenProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/RememberMe/InMemoryTokenProviderTest.php
@@ -22,7 +22,7 @@ public function testCreateNewToken()
     {
         $provider = new InMemoryTokenProvider();
 
-        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTimeImmutable(), false);
+        $token = new PersistentToken('foo', 'foo', 'foo', new \DateTimeImmutable());
         $provider->createNewToken($token);
 
         $this->assertSame($provider->loadTokenBySeries('foo'), $token);
@@ -38,7 +38,7 @@ public function testUpdateToken()
     {
         $provider = new InMemoryTokenProvider();
 
-        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTimeImmutable(), false);
+        $token = new PersistentToken('foo', 'foo', 'foo', new \DateTimeImmutable());
         $provider->createNewToken($token);
         $provider->updateToken('foo', 'newFoo', $lastUsed = new \DateTime());
         $token = $provider->loadTokenBySeries('foo');
@@ -51,7 +51,7 @@ public function testDeleteToken()
     {
         $provider = new InMemoryTokenProvider();
 
-        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTimeImmutable(), false);
+        $token = new PersistentToken('foo', 'foo', 'foo', new \DateTimeImmutable());
         $provider->createNewToken($token);
         $provider->deleteTokenBySeries('foo');
 
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/RememberMe/PersistentTokenTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/RememberMe/PersistentTokenTest.php
@@ -11,8 +11,6 @@
 
 namespace Symfony\Component\Security\Core\Tests\Authentication\RememberMe;
 
-use PHPUnit\Framework\Attributes\Group;
-use PHPUnit\Framework\Attributes\IgnoreDeprecations;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
 
@@ -36,12 +34,4 @@ public function testDateTime()
 
         $this->assertEquals($lastUsed, $token->getLastUsed());
     }
-
-    #[IgnoreDeprecations]
-    #[Group('legacy')]
-    public function testClassDeprecation()
-    {
-        $token = new PersistentToken('fooclass', 'fooname', 'fooseries', 'footokenvalue', new \DateTimeImmutable());
-        $this->assertSame('fooclass', $token->getClass());
-    }
 }
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -4,6 +4,7 @@ CHANGELOG
 8.0
 ---
 
+ * Remove `RememberMeDetails::getUserFqcn()`
  * Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Remove `AbstractListener::__invoke`
  * Throw a `BadCredentialsException` when passing an empty string as `$userIdentifier` argument to `UserBadge` constructor
diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
@@ -93,11 +93,9 @@ public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): U
         }
 
         return parent::consumeRememberMeCookie(new RememberMeDetails(
-            method_exists($token, 'getClass') ? $token->getClass(false) : '',
             $token->getUserIdentifier(),
             $expires,
             $token->getLastUsed()->getTimestamp().':'.$series.':'.$tokenValue.':'.(method_exists($token, 'getClass') ? $token->getClass(false) : ''),
-            false
         ));
     }
 
diff --git a/src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php b/src/Symfony/Component/Security/Http/RememberMe/RememberMeDetails.php
@@ -21,56 +21,11 @@ class RememberMeDetails
 {
     public const COOKIE_DELIMITER = ':';
 
-    private ?string $userFqcn = null;
-    private string $userIdentifier;
-    private int $expires;
-    private string $value;
-
-    /**
-     * @param string $userIdentifier
-     * @param int    $expires
-     * @param string $value
-     */
     public function __construct(
-        $userIdentifier,
-        $expires,
-        $value,
+        private string $userIdentifier,
+        private int $expires,
+        private string $value,
     ) {
-        if (\func_num_args() > 3) {
-            if (\func_num_args() < 5 || func_get_arg(4)) {
-                trigger_deprecation('symfony/security-http', '7.4', 'Passing a user FQCN to %s() is deprecated. The user class will be removed from the remember-me cookie in 8.0.', __CLASS__, __NAMESPACE__);
-            }
-
-            if (!\is_string($userIdentifier)) {
-                throw new \TypeError(\sprintf('Argument 1 passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
-            }
-
-            $this->userFqcn = $userIdentifier;
-            $userIdentifier = $expires;
-            $expires = $value;
-
-            if (\func_num_args() <= 3) {
-                throw new \TypeError(\sprintf('Argument 4 passed to "%s()" must be a string, the argument is missing.', __METHOD__));
-            }
-
-            $value = func_get_arg(3);
-        }
-
-        if (!\is_string($userIdentifier)) {
-            throw new \TypeError(\sprintf('The $userIdentifier argument passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
-        }
-
-        if (!\is_int($expires) && !preg_match('/^\d+$/', $expires)) {
-            throw new \TypeError(\sprintf('$The $expires argument  passed to "%s()" must be an integer, "%s" given.', __METHOD__, get_debug_type($expires)));
-        }
-
-        if (!\is_string($value)) {
-            throw new \TypeError(\sprintf('The $value argument  passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($value)));
-        }
-
-        $this->userIdentifier = $userIdentifier;
-        $this->expires = $expires;
-        $this->value = $value;
     }
 
     public static function fromRawCookie(string $rawCookie): self
@@ -89,19 +44,14 @@ public static function fromRawCookie(string $rawCookie): self
             throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
         }
 
-        if ('' === $cookieParts[0]) {
-            unset($cookieParts[0]);
-        } else {
-            $cookieParts[0] = strtr($cookieParts[0], '.', '\\');
-            $cookieParts[4] = false;
-        }
+        unset($cookieParts[0]);
 
         return new static(...$cookieParts);
     }
 
     public static function fromPersistentToken(PersistentToken $token, int $expires): self
     {
-        return new static(method_exists($token, 'getClass') ? $token->getClass(false) : '', $token->getUserIdentifier(), $expires, $token->getSeries().':'.$token->getTokenValue(), false);
+        return new static($token->getUserIdentifier(), $expires, $token->getSeries().':'.$token->getTokenValue());
     }
 
     public function withValue(string $value): self
@@ -112,16 +62,6 @@ public function withValue(string $value): self
         return $details;
     }
 
-    /**
-     * @deprecated since Symfony 7.4, the user FQCN will be removed from the remember-me cookie in 8.0
-     */
-    public function getUserFqcn(): string
-    {
-        trigger_deprecation('symfony/security-http', '7.4', 'The "%s()" method is deprecated: the user FQCN will be removed from the remember-me cookie in 8.0.', __METHOD__);
-
-        return $this->userFqcn ?? '';
-    }
-
     public function getUserIdentifier(): string
     {
         return $this->userIdentifier;
@@ -140,6 +80,6 @@ public function getValue(): string
     public function toString(): string
     {
         // $userIdentifier is encoded because it might contain COOKIE_DELIMITER, we assume other values don't
-        return implode(self::COOKIE_DELIMITER, [strtr($this->userFqcn ?? '', '\\', '.'), strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
+        return implode(self::COOKIE_DELIMITER, ['', strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
     }
 }
diff --git a/src/Symfony/Component/Security/Http/RememberMe/SignatureRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/SignatureRememberMeHandler.php
@@ -47,7 +47,7 @@ public function createRememberMeCookie(UserInterface $user): void
         $expires = time() + $this->options['lifetime'];
         $value = $this->signatureHasher->computeSignatureHash($user, $expires);
 
-        $details = new RememberMeDetails($user::class, $user->getUserIdentifier(), $expires, $value, false);
+        $details = new RememberMeDetails($user->getUserIdentifier(), $expires, $value);
         $this->createCookie($details);
     }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/RememberMeAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/RememberMeAuthenticatorTest.php
@@ -69,9 +69,7 @@ public static function provideSupportsData()
     public function testAuthenticate()
     {
         $rememberMeDetails = new RememberMeDetails('wouter', 1, 'secret');
-        $cookieData = explode(RememberMeDetails::COOKIE_DELIMITER, $rememberMeDetails->toString());
-        $cookieData[0] = '';
-        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => implode(RememberMeDetails::COOKIE_DELIMITER, $cookieData)]);
+        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => $rememberMeDetails->toString()]);
         $passport = $this->authenticator->authenticate($request);
 
         $this->rememberMeHandler->expects($this->once())->method('consumeRememberMeCookie')->with($this->callback(fn ($arg) => $rememberMeDetails == $arg));
@@ -80,7 +78,7 @@ public function testAuthenticate()
 
     public function testAuthenticateLegacyCookieFormat()
     {
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 1, 'secret', false);
+        $rememberMeDetails = new RememberMeDetails('wouter', 1, 'secret');
         $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => $rememberMeDetails->toString()]);
         $passport = $this->authenticator->authenticate($request);
 
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentRememberMeHandlerTest.php
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/SignatureRememberMeHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/SignatureRememberMeHandlerTest.php

Original file line number	Diff line number	Diff line change
`@@ -38,12 +38,10 @@ public function updateToken(string $series, #[\SensitiveParameter] string $token`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`$token = new PersistentToken(`
`41`		`- $this->tokens[$series]->getClass(false),`
`42`	`41`	`$this->tokens[$series]->getUserIdentifier(),`
`43`	`42`	`$series,`
`44`	`43`	`$tokenValue,`
`45`	`44`	`$lastUsed,`
`46`		`- false`
`47`	`45`	`);`
`48`	`46`	`$this->tokens[$series] = $token;`
`49`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,22 +21,22 @@ class CacheTokenVerifierTest extends TestCase`
`21`	`21`	`public function testVerifyCurrentToken()`
`22`	`22`	`{`
`23`	`23`	`$verifier = new CacheTokenVerifier(new ArrayAdapter());`
`24`		`- $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable(), false);`
	`24`	`+ $token = new PersistentToken('user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());`
`25`	`25`	`$this->assertTrue($verifier->verifyToken($token, 'value'));`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`public function testVerifyFailsInvalidToken()`
`29`	`29`	`{`
`30`	`30`	`$verifier = new CacheTokenVerifier(new ArrayAdapter());`
`31`		`- $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable(), false);`
	`31`	`+ $token = new PersistentToken('user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());`
`32`	`32`	`$this->assertFalse($verifier->verifyToken($token, 'wrong-value'));`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`public function testVerifyOutdatedToken()`
`36`	`36`	`{`
`37`	`37`	`$verifier = new CacheTokenVerifier(new ArrayAdapter());`
`38`		`- $outdatedToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable(), false);`
`39`		`- $newToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'newvalue', new \DateTimeImmutable(), false);`
	`38`	`+ $outdatedToken = new PersistentToken('user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());`
	`39`	`+ $newToken = new PersistentToken('user', 'series1@special:chars=/', 'newvalue', new \DateTimeImmutable());`
`40`	`40`	`$verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTimeImmutable());`
`41`	`41`	`$this->assertTrue($verifier->verifyToken($newToken, 'value'));`
`42`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -93,11 +93,9 @@ public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): U`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`return parent::consumeRememberMeCookie(new RememberMeDetails(`
`96`		`- method_exists($token, 'getClass') ? $token->getClass(false) : '',`
`97`	`96`	`$token->getUserIdentifier(),`
`98`	`97`	`$expires,`
`99`	`98`	`$token->getLastUsed()->getTimestamp().':'.$series.':'.$tokenValue.':'.(method_exists($token, 'getClass') ? $token->getClass(false) : ''),`
`100`		`- false`
`101`	`99`	`));`
`102`	`100`	`}`
`103`	`101`