[Security] Fix invalid cookie when migrating to new Security

Author: jderusse

RememberMe/RememberMeDetails.php

@@ -40,6 +40,9 @@ public static function fromRawCookie(string $rawCookie): self
         if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {
             throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
         }
+        if (4 !== \count($cookieParts)) {
+            throw new AuthenticationException('The cookie contains invalid data.');
+        }
 
         return new static(...$cookieParts);
     }

Tests/Authenticator/RememberMeAuthenticatorTest.php

@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Http\Authenticator\RememberMeAuthenticator;
 use Symfony\Component\Security\Http\RememberMe\RememberMeDetails;
@@ -80,4 +81,12 @@ public function testAuthenticateWithoutToken()
 
         $this->authenticator->authenticate(Request::create('/'));
     }
+
+    public function testAuthenticateWithoutOldToken()
+    {
+        $this->expectException(AuthenticationException::class);
+
+        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => base64_encode('foo:bar')]);
+        $this->authenticator->authenticate($request);
+    }
 }