Fix for issue 1798 #2528
Fix for issue 1798 #2528
Conversation
…event infinite redirect loops to the login path (fixes symfony#1798).
|
|
||
| if ($authException instanceof AccountStatusException && $response instanceof Response) { | ||
| // clear the session cookie to prevent infinite redirect loops | ||
| $cookieParams = session_get_cookie_params(); |
There was a problem hiding this comment.
You should not clear the whole session cookie but only the security stuff (what if the application stores other things in the cookies ?)
There was a problem hiding this comment.
In my application I store other settings in the session, too, and those are of cause user related, too, so at least in my case it is correct in this way... so you propose to do something like $request->getSession()->remove('_security_main');?
There was a problem hiding this comment.
yes. Your implementation is really destructive and has many side-effects on user-land code.
A solution to improve it could be to add a hook to allow adding some logic here (like the LogoutHandler for the logout)
|
@stof I have changed the code so that it only removes the token... do we still need any hook support? |
|
well, the hook is for your own use case but it would be for 2.1 only anyway, not for 2.0 |
| @@ -158,6 +160,12 @@ class ExceptionListener | |||
|
|
|||
| $this->setTargetPath($request); | |||
|
|
|||
| if ($authException instanceof AccountStatusException && ($token = $this->context->getToken()) instanceof UsernamePasswordToken) { | |||
There was a problem hiding this comment.
Why restricting this behavior to UsernamePasswordToken tokens?
There was a problem hiding this comment.
That's because the issue should only occur if the firewall tries to reload the user and this can only be done if there is a username.
There was a problem hiding this comment.
@snc all token contain a user and all listeners reload the user (a listener not doing it would be an issue if an admin locked the user for instance, and thus it would be a detached Doctrine entity causing many WTF).
There was a problem hiding this comment.
@stof I rechecked why I used UsernamePasswordToken, it is the parent class which contains the providerKey which is needed to get the name of the session variable.
|
Now that #2414 is merged to 2.1, this could be simplified for the master branch... |
Commits ------- f9befb6 Remove only the security token instead of the session cookie. 348bccb Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798). Discussion ---------- Fix for issue 1798 Bug fix: yes Feature addition: no Backwards compatibility break: no Symfony2 tests pass: yes Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798). --------------------------------------------------------------------------- by snc at 2011/11/01 04:01:49 -0700 @stof I have changed the code so that it only removes the token... do we still need any hook support? --------------------------------------------------------------------------- by stof at 2011/11/01 04:07:17 -0700 well, the hook is for your own use case but it would be for 2.1 only anyway, not for 2.0 --------------------------------------------------------------------------- by snc at 2011/11/07 15:11:52 -0800 Now that #2414 is merged to 2.1, this could be simplified for the master branch...
Commits ------- 4d80ebd Remove security token if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798). Discussion ---------- [2.1] Fix for issue 1798 Bug fix: yes Feature addition: no Backwards compatibility break: no Symfony2 tests pass: yes Fixes the following tickets: #1798 This is a simplified PR of #2528 for the master branch.
Bug fix: yes
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798).