Open martijnc opened 3 months ago
Updating existing cookies automatically from the bundle isn't possible as it might override some properties (e.g., path, expiration date) because that information is not sent back to the server. To perform the upgrade, the application will need to provide some of this information. Creating a
Cookie
from just the name/value pair may extend the expiration or widen the path restriction, making it less secure. This PR explores this.
Oh good point 👍🏻 I definitely hadn't fully thought out that process. I'll look at this PR later but thanks already.
The changes in #351 allow applications to configure a legacy hash algorithm to ease hash algorithm upgrades. The new algorithm is only used for new cookies; existing cookies are not updated, which requires
legacy_hash_algo
to be set for a prolonged time. A suggestion was made to support proactive upgrading of existing cookies automatically to shorten this timeframe.Updating existing cookies automatically from the bundle isn't possible as it might override some properties (e.g., path, expiration date) because that information is not sent back to the server. To perform the upgrade, the application will need to provide some of this information. Creating a
Cookie
from just the name/value pair may extend the expiration or widen the path restriction, making it less secure. This PR explores this.The application can provide a service(s) implementing
UpgradedCookieBuilderInterface
that can build aCookie
with the appropriate options from the name/value pair. This bundle handles the detection of upgradable cookies and manages the upgrade process, except for creating the actualCookie
. Adoption of this feature may be low due to theUpgradedCookieBuilderInterface
requirement.