Session created by default handlers on stateless firewalls #51319
Labels
Comments
chalasr
added a commit
that referenced
this issue
Aug 25, 2023
… (Seb33300) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- [Security] Prevent creating session in stateless firewalls | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #51319 | License | MIT | Doc PR | <!-- Replace this notice by a short README for your feature/bugfix. This will help reviewers and should be a good start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the latest branch. - For new features, provide some code snippets to help understand usage. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry - Never break backward compatibility (see https://symfony.com/bc). --> Please check related issue for details. Same as #51320 with `@chalasr` suggestion: #51320 (comment) Commits ------- 4efd50e [Security] Prevent creating session in stateless firewalls
symfony-splitter
pushed a commit
to symfony/security-http
that referenced
this issue
Aug 25, 2023
… (Seb33300) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- [Security] Prevent creating session in stateless firewalls | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix symfony/symfony#51319 | License | MIT | Doc PR | <!-- Replace this notice by a short README for your feature/bugfix. This will help reviewers and should be a good start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the latest branch. - For new features, provide some code snippets to help understand usage. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry - Never break backward compatibility (see https://symfony.com/bc). --> Please check related issue for details. Same as symfony/symfony#51320 with `@chalasr` suggestion: symfony/symfony#51320 (comment) Commits ------- 4efd50e34c [Security] Prevent creating session in stateless firewalls
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Symfony version(s) affected
6.3
Description
Tests are broken on that project since Symfony 6.0 and after more investigation I found that Symfony is starting the session in
DefaultAuthenticationSuccessHandler::onAuthenticationSuccess()whendetermineTargetUrl()read the session to get the target URL, even if the firewall is marked as stateless.This result in the error:
How to reproduce
Setup a stateless firewall using
DefaultAuthenticationSuccessHandler.See failing test here: hwi/HWIOAuthBundle#1938
Possible Solution
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: