Problem/Motivation

When trying to delete a token the functions creates a hash on an already hashed token. Therefore the token is not deleted in the database.

Proposed resolution

Remove the additional hash function in the deleteToken function:

-        ->condition('series', Crypt::hashBase64($token->getSeries()))
+        ->condition('series', $token->getSeries())

Remaining tasks

On top of that, it would be great to implement a hook_user_delete() to delete all data for the deleted user stored in the persistent_login database table.

This would also fix: https://www.drupal.org/project/persistent_login/issues/3399159

on a more cleaner way on the perspective of datasecurity/datapolicy

CommentFileSizeAuthor
#2 3400061-2.patch1.41 KBslowflyer

Issue fork persistent_login-3400061

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

slowflyer created an issue. See original summary.

slowflyer’s picture

slowflyer commented
StatusFileSize
new 3400061-2.patch1.41 KB

Patch fixing the issue and implementing hook_user_delete

slowflyer opened merge request !10

slowflyer’s picture

slowflyer commented

Same issue on 2.x branch.

gapple’s picture

gapple
he/they
Primary language English
commented

Thanks for the report and merge request.

I'm going to explore ways to make it more explicit whether the token values are hashed or not

gapple opened merge request !12

  • gapple committed 4abdc405 on 2.x 
    Issue #3400061: Differentiate between tokens with hashed or unhashed...

g-brodiei made their first commit to this issue’s fork.

g-brodiei opened merge request !13

g-brodiei’s picture

g-brodiei
Primary language Chinese, Traditional
commented
Version: 8.x-1.x-dev » 2.x-dev

Changing the target branch to 2.x.

When a deleted user that has a persistent session record not expired, the end user who previously logged in with their browser may encounter this PHP error message since the uid matching the current browser session can no longer load any user entity.

Added a new commit providing a hook_update to remove records in persistent_login table based upon deleted users before the fix of token delete is working.

g-brodiei’s picture

g-brodiei
Primary language Chinese, Traditional
commented
Status: Active » Needs review

Setting status to needs review, thanks!

g-brodiei’s picture

g-brodiei
Primary language Chinese, Traditional
commented

Added the missing `hook_user_delete` solution from @slowflyer to MR !13

Tested the records of deleted user's uid is gone in `persistent_login` table right after user deletion.

  • gapple committed 84ca60b2 on 8.x-1.x 
    Issue #3400061: Differentiate between tokens with hashed or unhashed...
gapple’s picture

gapple
he/they
Primary language English
commented
Status: Needs review » Fixed

The double-hashing was fixed in 8.x-1.7 and 2.2.1
Cleaning up tokens for deleted users was fixed in 8.x-1.9 and 2.2.3

gapple closed merge request !13

gapple closed merge request !10

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.