Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Stateless routes remove existing session #57851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
micheh opened this issue Jul 27, 2024 · 0 comments
Closed

[Security] Stateless routes remove existing session #57851

micheh opened this issue Jul 27, 2024 · 0 comments
Labels
Bug Security Status: Needs Review

Comments

@micheh
Copy link
Contributor

micheh commented Jul 27, 2024
edited
Loading

Symfony version(s) affected

6.4.9

Description

When an application has a firewall that includes both routes with stateless: true and routes that use the session, the routes with stateless: true will remove the session data and session cookie. This means that the user has to reauthenticate if they visit a route that uses the session after visiting a route with stateless: true.

I think the stateless routes should simply ignore the session data and should not actively remove an existing session.

How to reproduce

  1. Create two routes, one with stateless: true and one without.
  2. Visit the route that uses the session and stores the user in the session.
  3. Visit the route with stateless: true. This route will remove the user in the session and delete the session cookie.

Possible Solution

The problem is that the ContextListener removes the session data in the kernel.response event:

symfony/src/Symfony/Component/Security/Http/Firewall/ContextListener.php

Lines 169 to 173 in 3804b46

if (!$this->trustResolver->isAuthenticated($token)) {
if ($request->hasPreviousSession()) {
$session->remove($this->sessionKey);
}
} else {

The first if statement will always be true, as the token is always null and therefore the user is not authenticated. $request->hasPreviousSession() will also be true if the user has a session cookie from the previous request.

ContextListener::onKernelResponse should probably also check if the request is stateless and return early when this is the case. This event listener either stores the token in the session or removes the session data, neither of which should be actions for stateless requests.

Additional Context

This bug was introduced in #57372
@micheh micheh added the Bug label Jul 27, 2024
@micheh micheh mentioned this issue Jul 28, 2024
Closed
@VincentLanglet VincentLanglet mentioned this issue Aug 13, 2024
Merged
fabpot added a commit that referenced this issue Aug 14, 2024
@fabpot
bug #58002 [Security] Revert stateless check for ContextListener (Vin…
14b1b4d 
…centLanglet)

This PR was merged into the 5.4 branch.

Discussion
----------

[Security] Revert stateless check for ContextListener

This reverts commit 40341a1.

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix ##57851
| License       | MIT

Closes #57854

Cf #57854 (comment)

Commits
-------

188e2d2 Revert stateless check
@fabpot fabpot closed this as completed Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fabpot @micheh @carsonbot