Description
| Q | A |
|---|---|
| Bug report? | yes |
| Feature request? | no |
| BC Break report? | no |
| RFC? | no |
| Symfony version | 2.8+ |
My scenario:
- I have a firewall
- Which has 3 authenticators
- Entry for one of the authenticators:
/hash/{hash}/ - Authenticates on the main firewall
- A voter restricts access for this authentication (same firewall context)
- When access denied by that voter, an in-page login screen will ask for the password to "elevate permissions"
- Successful authentication will grant you normal permissions, difference is that username is not required
The issue I have now that I'm using guard instead of Simple*, is that every failed authentication attempt, triggers a de-authentication. That means that instead of staying logged in and showing the error message that the password was wrong, the user is logged out and has to fill in both password and username.
This is really simple to reproduce, just try to login with invalid credentials when logged in, and it will de-authenticate you.
For this particular case, it can be solved by removing the following lines: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php#L100-L103
I think this is a bug, as it's really weird behavior to de-authenticate a user this way. I can provide a PR to fix this in 2.8, otherwise it has to be fixed with a deprecation in 4.1 (which would take too long for my issue though).