Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix for issue 1798 #2528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 10, 2011
Merged

Fix for issue 1798 #2528

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
348bccb
Clear session cookie if user was deleted, is disabled or locked to pr…
snc Oct 31, 2011
f9befb6
Remove only the security token instead of the session cookie.
snc Nov 1, 2011
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Clear session cookie if user was deleted, is disabled or locked to pr… 
…event infinite redirect loops to the login path (fixes #1798).
  • Loading branch information
@snc
snc committed Oct 31, 2011
commit 348bccbbca2bc1d84d7aae153ecc98a1553dea6f
11 changes: 10 additions & 1 deletion src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
use Symfony\Component\Security\Core\Exception\AccountStatusException;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
Expand Down Expand Up @@ -158,7 +159,15 @@ private function startAuthentication(Request $request, AuthenticationException $

$this->setTargetPath($request);

return $this->authenticationEntryPoint->start($request, $authException);
$response = $this->authenticationEntryPoint->start($request, $authException);

if ($authException instanceof AccountStatusException && $response instanceof Response) {
// clear the session cookie to prevent infinite redirect loops
$cookieParams = session_get_cookie_params();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should not clear the whole session cookie but only the security stuff (what if the application stores other things in the cookies ?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my application I store other settings in the session, too, and those are of cause user related, too, so at least in my case it is correct in this way... so you propose to do something like $request->getSession()->remove('_security_main');?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes. Your implementation is really destructive and has many side-effects on user-land code.

A solution to improve it could be to add a hook to allow adding some logic here (like the LogoutHandler for the logout)

$response->headers->clearCookie(session_name(), $cookieParams['path'], $cookieParams['domain']);
}

return $response;
}

protected function setTargetPath(Request $request)
Expand Down