Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.5.0, 3.6.0, 3.7.0
Description
NOTE
In 3.7.1, we'll be shipping a workaround that makes the remember-me problem less likely to occur. This workaround will however not completely eliminate all remember-me problems.
A real fix for the problem (a rewrite of the remember-me functionality) is expected to ship in 3.8.0.
A race condition has been discovered in remember-me authentication where two parallel HTTP requests provide the same remember-me cookie to Stash.
The first request authenticates successfully and a new remember-me token is generated and returned to the browser.
The second request attempts to authenticate using the -now stale- token and is rejected. Furthermore, Stash detects that it is a stale token and as a safety precaution against cookie theft attacks invalidates all remember-me tokens for the user, including the new cookie that was just returned.