diff --git a/security/login_link.rst b/security/login_link.rst index 40679e50071..b1688490f5f 100644 --- a/security/login_link.rst +++ b/security/login_link.rst @@ -111,9 +111,9 @@ intercept requests to this route: throw new \LogicException('This code should never be reached'); } } - + .. code-block:: php-attributes - + // src/Controller/SecurityController.php namespace App\Controller; @@ -428,6 +428,13 @@ The signed URL contains 3 parameters: properties. Whenever these change, the hash changes and previous login links are invalidated. +For a user that returns ``user@example.com`` on ``$user->getUserIdentifier()`` +call, the generated login link looks like this: + +.. code-block:: text + + http://example.com/login_check?user=user@example.com&expires=1675707377&hash=f0Jbda56Y...A5sUCI~TQF701fwJ...7m2n4A~ + You can add more properties to the ``hash`` by using the ``signature_properties`` option: @@ -673,6 +680,23 @@ user create this POST request (e.g. by clicking a button):: {% endblock %} +Hashing Strategy +~~~~~~~~~~~~~~~~ + +Internally, the :class:`Symfony\\Component\\Security\\Http\\LoginLink\\LoginLinkHandler` +implementation uses the +:class:`Symfony\\Component\\Security\\Core\\Signature\\SignatureHasher` to create the +hash contained in the login link. + +This hasher creates a first hash with the expiration +date of the link, the values of the configured signature properties and the +user identifier. The used hashing algorithm is SHA-256. + +Once this first hash is processed and encoded in Base64, a new one is created +from the first hash value and the ``kernel.secret`` container parameter. This +allows Symfony to sign this final hash, which is contained in the login URL. +The final hash is also a Base64 encoded SHA-256 hash. + Customizing the Success Handler -------------------------------