Hello. If someone get my "rememver me" cookie I think that he also get "my session id" cookie. So checks in PersistentTokenBasedRememberMeServices::processAutoLoginCookie wouldn't has any sense.
In other case this checks prevent creating multidomain authentication: 1. user logged in on master.site, we set remember me cookie for persistent token 2. user returns to other.site where included scrpit src="master.site" wich check is user authenticated and if true - redirect to other.site/set-remember-me-cokie=cookie_value We aren't set "session id" cookie, so on other sites we have different sessions. And always got CookieTheftException. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
