It is possible to make a never-expiring token

djoos / EscapeWSSEAuthenticationBundle

Symfony bundle to implement WSSE authentication

http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

137 stars 59 forks source link

It is possible to make a never-expiring token #36

Closed eXtreme closed 10 years ago

eXtreme commented 10 years ago

PHP strtotime not only can parse a date but also some words to make time, like.. "now". When you don't cache and validate nonces it is possible to create a token which never expires and is always valid. You have to just create a token with "now" as "created" param. :)

djoos commented 10 years ago

Hi @eXtreme,

thanks for getting in touch - you're definitely right!

What would you suggest as a fix? Check whether strtotime's time parameter is actually an int?

Thanks in advance for your feedback!

Kind regards, David

eXtreme commented 10 years ago

I'm not sure, it depends how strict you are about the date format. I force ISO 8601 date format so that it can be easily validated with regexp before strtotime.

djoos commented 10 years ago

Thanks for spotting this @eXtreme!

I've added a date_format-check on the token's $created; required format defaults to ISO8601, but can be easily changed to fit anyone's more advanced need.

Kind regards, David

eXtreme commented 10 years ago

@djoos cool, good to hear that :)