Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Remember me does not check the checkPreAuth #10242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cmodijk opened this issue Feb 11, 2014 · 0 comments
Closed

[Security] Remember me does not check the checkPreAuth #10242

cmodijk opened this issue Feb 11, 2014 · 0 comments
Labels
Security

Comments

@cmodijk
Copy link

cmodijk commented Feb 11, 2014

I was debugging a situation where a user is still logged in our system after we blocked the user. I found that the RememberMeAuthenticationProvider does not check the checkPreAuth. The user could still browse the system after we blocked them.

I found this pull request #9902
@cmodijk cmodijk mentioned this issue Feb 11, 2014
Closed
glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 4, 2014
@glutamatt
bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationP…
d3c95cc 
…rovider
This was referenced Jun 4, 2014
Closed
Closed
glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 5, 2014
@glutamatt
bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationP…
f2c5e5b 
…rovider
glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 5, 2014
@glutamatt
bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationP…
e0730e0 
…rovider
@hellomedia hellomedia mentioned this issue Jun 5, 2014
Closed
glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 9, 2014
@glutamatt
bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationP…
a78d1af 
…rovider
glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 30, 2014
@glutamatt
bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationP…
30a34b0 
…rovider
glutamatt added a commit to glutamatt/symfony that referenced this issue Sep 23, 2014
@glutamatt
bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationP…
db99801 
…rovider
glutamatt added a commit to glutamatt/symfony that referenced this issue Sep 23, 2014
@glutamatt
bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationP…
510218f 
…rovider
fabpot pushed a commit that referenced this issue Sep 24, 2014
@glutamatt @fabpot
bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
a38d1cd
fabpot added a commit that referenced this issue Sep 24, 2014
@fabpot
bug #11058 [Security] bug #10242 Missing checkPreAuth from RememberMe…
a05a95c 
…AuthenticationProvider (glutamatt)

This PR was submitted for the 2.4 branch but it was merged into the 2.3 branch instead (closes #11058).

Discussion
----------

[Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #10242
| License       | MIT

[Security] fixed missing call to UserChecker::checkPreAuth

edit : after the discution with @hellomedia , i replaced postcheck with precheck
glutamatt@e0730e0#commitcomment-6580764

Commits
-------

a38d1cd bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
@fabpot fabpot closed this as completed Sep 24, 2014
fabpot added a commit that referenced this issue Sep 25, 2014
@fabpot
Merge branch '2.3' into 2.4
43b83cf 
* 2.3:
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/CHANGELOG.md
	src/Symfony/Component/HttpFoundation/Tests/ResponseTest.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
webmozart added a commit that referenced this issue Sep 25, 2014
@webmozart
Merge branch '2.4' into 2.5
c48ae25 
* 2.4:
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Extension/Core/Type/FormType.php
	src/Symfony/Component/Form/Extension/Validator/Constraints/FormValidator.php
	src/Symfony/Component/Form/Extension/Validator/Util/ServerParams.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
	src/Symfony/Component/Validator/Tests/Constraints/AbstractConstraintValidatorTest.php
webmozart added a commit that referenced this issue Sep 25, 2014
@webmozart
Merge branch '2.5'
88a25fc 
* 2.5:
  [Command] Set the process title as late as possible
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Tests/Extension/Validator/Constraints/FormValidatorTest.php
ostrolucky pushed a commit to ostrolucky/symfony that referenced this issue Mar 25, 2018
@fabpot
Merge branch '2.3' into 2.4
b0b7b09 
* 2.3:
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/CHANGELOG.md
	src/Symfony/Component/HttpFoundation/Tests/ResponseTest.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
ostrolucky pushed a commit to ostrolucky/symfony that referenced this issue Mar 25, 2018
@webmozart
Merge branch '2.4' into 2.5
f7d678a 
* 2.4:
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Extension/Core/Type/FormType.php
	src/Symfony/Component/Form/Extension/Validator/Constraints/FormValidator.php
	src/Symfony/Component/Form/Extension/Validator/Util/ServerParams.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
	src/Symfony/Component/Validator/Tests/Constraints/AbstractConstraintValidatorTest.php
ostrolucky pushed a commit to ostrolucky/symfony that referenced this issue Mar 25, 2018
@webmozart
Merge branch '2.5'
1679693 
* 2.5:
  [Command] Set the process title as late as possible
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Tests/Extension/Validator/Constraints/FormValidatorTest.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fabpot @jakzal @cmodijk