Sorry for re-posting if both messages get through. Previous message doesn't show up.
________________________________ De : Mark <[email protected]> À : "[email protected]" <[email protected]> Envoyé le : Lundi 5 Septembre 2011 15h28 Objet : Security token serialization on logout Hello, When trying to disconnect (logout) a user using "invalidate_session: false" in security.yml, no action is taken and the user remains logged in. The logout listener sets the security token to null but then the implementation in Symfony\Component\Security\Http\Firewall\ContextListener::onKernelResponse() bails without modifying the session if the token is null. The token then remains unchanged. I was wondering if the response handler shouldn't rather be implemented along these lines : public function onKernelResponse(FilterResponseEvent $event) { if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) { return; } $sessionKey = '_security_'.$this->contextKey; $token = $this->context->getToken(); if ((null === $token) || ($token instanceof AnonymousToken)) { if (null !== $this->logger) { $this->logger->debug('Remove SecurityContext token from the session'); } $event->getRequest()->getSession()->remove($sessionKey); return; } if (null !== $this->logger) { $this->logger->debug('Write SecurityContext in the session'); } $event->getRequest()->getSession()->set($sessionKey, serialize($token)); } Any feedback is welcome. Thanks Mark -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
