Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Upgrading from Symfony 4.x to Symfony 5.x logouts all users #44676

New issue
New issue
Closed
Closed
Upgrading from Symfony 4.x to Symfony 5.x logouts all users#44676
Labels
BugSecurityStatus: Needs Review
@ajgarlag

Description

@ajgarlag
ajgarlag
opened on Dec 16, 2021

Symfony version(s) affected

5.x

Description

The Symfony\Component\Security\Core\Role\Role and Symfony\Component\Security\Core\Role\SwitchUserRole classes were deprecated in Symfony 4.3 and removed in Symfony 5.0.

But if you are using PHP sessions to keep users logged in and you are using any authentication token that extends the given AbstractToken, the authenticated token is being serialized with references to old role classes in your Symfony 4 app.

When you upgrade your app to Symfony 5, and the ContextListener tries to unserialize the token, the old role classes no longer exist, causing an exception. The exception is caught by Symfony and your users will only see their sessions closed without any reason.

How to reproduce

Execute:

git clone [email protected]:ajgarlag/sf4-to-sf5-bug.git
cd sf4-to-sf5-bug
git checkout origin/4.x
composer install
symfony serve -d

Now visit http://localhost:8000/profile and fill the login form with:

  • Username: user
  • Password: foobar

You will be logged in. Keep this browser window open.

Execute:

git checkout origin/5.x
composer install

Refresh the browser window. You will be logged out. If you explore the profile from redirect response you will see:

Screenshot_20211216_193000

Possible Solution

I'm not sure how to fix it in Symfony code, so I've created a little package that will provide the missing classes: ajgl/sf4-to-sf5-role-unserialization

To see it in action try the following reproducer:

Execute:

git clone [email protected]:ajgarlag/sf4-to-sf5-bug.git
cd sf4-to-sf5-bug
git checkout origin/4.x
composer install
symfony serve -d

Now visit http://localhost:8000/profile and fill the login form with:

  • Username: user
  • Password: foobar

You will be logged in. Keep this browser window open.

Execute:

git checkout origin/main
composer install

Refresh the browser window. You will be logged in, and your the serialized token stored in session has been successfully upgraded to be Symfony 5 compatible.

Finally you can safely remove my package:

composer remove ajgl/sf4-to-sf5-role-unserialization

If you refresh the browser window, you will be logged in.

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions