[Security] Do not try to clear CSRF on stateless request

Seb33300 · Seb33300 · commit 1d1033389827 · 2024-04-26T16:01:57.000+07:00
diff --git a/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php b/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php
@@ -32,7 +32,12 @@ public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)
 
     public function onLogout(LogoutEvent $event): void
     {
-        if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) {
+        $request = $event->getRequest();
+
+        if (
+            $this->csrfTokenStorage instanceof SessionTokenStorage
+            && ($request->attributes->getBoolean('_stateless') || !$request->hasPreviousSession())
+        ) {
             return;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,12 @@ public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)`
`32`	`32`
`33`	`33`	`public function onLogout(LogoutEvent $event): void`
`34`	`34`	`{`
`35`		`- if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) {`
	`35`	`+ $request = $event->getRequest();`
	`36`	`+`
	`37`	`+ if (`
	`38`	`+ $this->csrfTokenStorage instanceof SessionTokenStorage`
	`39`	`+ && ($request->attributes->getBoolean('_stateless') \|\| !$request->hasPreviousSession())`
	`40`	`+ ) {`
`36`	`41`	`return;`
`37`	`42`	`}`
`38`	`43`