[Security] Mark the request as _stateless if the firewall used is stateless #40372
Comments
|
Thank you for this suggestion. |
|
Still relevant, will see if I can work on a patch. |
|
Patch welcome indeeded :) |
|
Thank you for this suggestion. |
fabpot
added a commit
that referenced
this issue
Dec 18, 2022
…s stateless (alamirault) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- [SecurityBundle] Set request stateless when firewall is stateless | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | Fix #40372 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> Automatically add `_stateless` attribute to the request when firewall is stateless Commits ------- ce458c6 [SecurityBundle] Set request stateless when firewall is stateless
nicolas-grekas
added a commit
that referenced
this issue
Aug 16, 2024
…he request when firewall is stateless and the attribute is not already set (MatTheCat) This PR was submitted for the 7.2 branch but it was merged into the 6.4 branch instead. Discussion ---------- [SecurityBundle] Revert adding `_stateless` attribute to the request when firewall is stateless and the attribute is not already set | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #50715 | License | MIT #40372 was about routes matching both stateful and stateless firewalls: you couldn’t easily configure them as stateless under a stateless firewall only. #48044 fixed it by linking these two attributes: a stateless firewall then implied a stateless request. While it can sound logical, this impacted many projects using the session while authenticating users in a stateless fashion. At last, #49997 allowed to override this behavior by explicitly configuring routes as *not* stateless. This kind of proved that #48044 was a mistake: you cannot tell a request must be stateless only because it matches a stateless firewall. As such, this PR reverts #48044 (and consequently #49997) so that configuring routes as stateless is the developers responsibility alone. It also reopens #40372, but I think this issue should be fixed in an opt-in way (with a new `firewall.stateless.with_routes` boolean configuration in the SecurityBundle e.g.). Commits ------- 47baed9 [SecurityBundle] Revert adding `_stateless` attribute to the request when firewall is stateless and the attribute is not already set
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
As of 5.1, routes can be marked stateless which is a great addition. It occurred to me that if a firewall is configured to be stateless, the Request could also automatically receive the stateless attribute if it matches the firewall config.
Example
Security config example:
In this case, requests to the
api.example.orgshould get the _stateless attribute automatically, so we get warned if any API usage has a session started.Using stateless routes in this case is not strictly possible as we have routes usable on both api and regular domain, and they do make use of sessions for user authentication on the regular domain, but not on the API one.
I for now fixed this with a request listener setting the attribute myself, but it would be nice if the framework took care of it.
The text was updated successfully, but these errors were encountered: