Update session key generation in SessionStorage

This commit changes how session keys are generated in SessionStorage. Instead of using a static value, a hash of the item's public key credential challenge is added to the session parameter to create a unique key. This enhancement should improve session data security.
web-auth · Jul 12, 2024 · 1aa51a6 · 1aa51a6
1 parent fd8af8f
commit 1aa51a6
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/symfony/src/Security/Storage/SessionStorage.php b/src/symfony/src/Security/Storage/SessionStorage.php
@@ -23,7 +23,8 @@ public function __construct(
  public function store(Item $item, string|null $tag = null): void
  {
  $session = $this->requestStack->getSession();
- $session->set(self::SESSION_PARAMETER, [
+ $key = sprintf('%s-%s', self::SESSION_PARAMETER, hash('xxh128', $item->getPublicKeyCredentialOptions()->challenge));
+ $session->set($key, [
  'options' => $item->getPublicKeyCredentialOptions(),
  'userEntity' => $item->getPublicKeyCredentialUserEntity(),
  ]);