Skip to content

Improve cookie authentication tokens#805

Merged
markstory merged 3 commits into
4.xfrom
improve-cookie-token-jorge
Jul 8, 2026
Merged

Improve cookie authentication tokens#805
markstory merged 3 commits into
4.xfrom
improve-cookie-token-jorge

Conversation

@markstory

Copy link
Copy Markdown
Member

Replace the token generation in CookieAuthenticator with a new token format. The previous token format had weaknesses that could be used to create an authentication bypass if encrypted cookies were not used.

The legacyTokens option provides backwards compatibility for existing tokens, and gives application developers a path to disable legacy token support, which will become the default in a future minor release.

Thanks to Gilles Bedel for reporting this issue through the security mailing list.

@markstory markstory added this to the 4.x milestone Jul 4, 2026
@markstory markstory merged commit ad01885 into 4.x Jul 8, 2026
6 of 8 checks passed
@markstory markstory deleted the improve-cookie-token-jorge branch July 8, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants