Thanks to visit codestin.com
Credit goes to github.com

Skip to content

infinite loop when deleting a logged user from the database or disabling it #1798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
stof opened this issue Jul 25, 2011 · 5 comments
Closed

infinite loop when deleting a logged user from the database or disabling it #1798

stof opened this issue Jul 25, 2011 · 5 comments
Labels
Bug Security

Comments

@stof
Copy link
Member

stof commented Jul 25, 2011

If I delete the logged user from the database (in my case, it was because I cleared the database by reloading the fixtures), the next request sent to the site will try to authenticate this user in the ContextListener (as the browser still has the cookie) and fail (as the user does not exist anymore). But the cookie is not deleted. This leads to some weird behavior in some cases:

  • remove the user from the database (without clearing the cookie in your browser)
  • go to the signup page and recreate the user with this username, but as a disabled user (waiting for a confirmation sent through a mail)
  • the next requests will redirect to the login page because it finds the user again but disabled, which throws an AuthenticationException (and then an infinite loop as the same occur for the request to the login page).

If the cookie were removed when the user cannot be reloaded (not found or disabled), the next requests would match an anonymous token which would work.
@whisller
Copy link

whisller commented Sep 2, 2011

Error occur with "FOSUserBundle" and "fos_user_registration_confirmation_enabled: true" option.

@stof
Copy link
Member Author

stof commented Sep 2, 2011

@schmittjoh any news about this ?

@lsmith77
Copy link
Contributor

yeah .. removing the cookie seems like the right fix.

@fabpot
Copy link
Member

fabpot commented Sep 28, 2011

Anyone working on a patch?

snc added a commit to snc/symfony that referenced this issue Oct 31, 2011
@snc
Clear session cookie if user was deleted, is disabled or locked to pr…
348bccb 
…event infinite redirect loops to the login path (fixes symfony#1798).
@snc snc mentioned this issue Oct 31, 2011
Merged
snc added a commit to snc/symfony that referenced this issue Nov 10, 2011
@snc
Remove security token if user was deleted, is disabled or locked to p…
4d80ebd 
…revent infinite redirect loops to the login path (fixes symfony#1798).
@snc snc mentioned this issue Nov 10, 2011
Merged
@fabpot fabpot closed this as completed in 3c584f5 Nov 10, 2011
fabpot added a commit that referenced this issue Nov 10, 2011
@fabpot
merged branch snc/issue-1798-sf21 (PR #2598)
47b09f7 
Commits
-------

4d80ebd Remove security token if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798).

Discussion
----------

[2.1] Fix for issue 1798

Bug fix: yes
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Fixes the following tickets: #1798

This is a simplified PR of #2528 for the master branch.
homer6 pushed a commit to homer6/symfony that referenced this issue Nov 10, 2011
@fabpot
Merge branch '2.0'
0025673 
* 2.0:
  Added a class to the logs ol element to prevent hiding it when toggling an exception (fixes symfony#2589).
  Remove only the security token instead of the session cookie.
  Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes symfony#1798).
@reel
Copy link

reel commented Sep 1, 2012

It seems like it still happens in RC2.

Having a user disabled, trying to login... you get:

[2012-08-31 21:17:56] security.INFO: Authentication request failed: User account is disabled. [] []
[2012-08-31 21:17:56] security.DEBUG: Redirecting to /login [] []
[2012-08-31 21:17:56] security.DEBUG: Write SecurityContext in the session [] []
[2012-08-31 21:17:57] security.INFO: Populated SecurityContext with an anonymous Token [] []
[2012-08-31 21:17:57] security.DEBUG: Write SecurityContext in the session [] []

Then, enable it and try to login once more:

[2012-08-31 21:18:22] security.INFO: User "[email protected]" has been authenticated successfully [] []
[2012-08-31 21:18:22] security.DEBUG: Write SecurityContext in the session [] []
[2012-08-31 21:18:23] security.INFO: Authentication exception occurred; redirecting to authentication entry point (A Token was not found in the SecurityContext.) [] []
[2012-08-31 21:18:23] security.DEBUG: Calling Authentication entry point [] []
[2012-08-31 21:18:23] security.DEBUG: Write SecurityContext in the session [] []
[2012-08-31 21:18:23] security.INFO: Populated SecurityContext with an anonymous Token [] []
[2012-08-31 21:18:23] security.DEBUG: Write SecurityContext in the session [] []

I still have to manually clear the cookie in the browser. Chrome 21 and IE9 acted the same on this.

Everything is working BUT the enable/disable feature.

NOTE: I am using PDO Session Storage...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fabpot @whisller @lsmith77 @stof @reel