Hello,
When trying to disconnect (logout) a user using "invalidate_session: false" in
security.yml, no action is taken and the user remains logged in. The logout
listener sets the security token to null but then the implementation in
Symfony\Component\Security\Http\Firewall\ContextListener::onKernelResponse()
bails without modifying the session if the token is null. The token then
remains unchanged.
I was wondering if the response handler shouldn't rather be implemented along
these lines :
public function onKernelResponse(FilterResponseEvent $event)
{
if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
return;
}
$sessionKey = '_security_'.$this->contextKey;
$token = $this->context->getToken();
if ((null === $token) || ($token instanceof AnonymousToken)) {
if (null !== $this->logger) {
$this->logger->debug('Remove SecurityContext token from the
session');
}
$event->getRequest()->getSession()->remove($sessionKey);
return;
}
if (null !== $this->logger) {
$this->logger->debug('Write SecurityContext in the session');
}
$event->getRequest()->getSession()->set($sessionKey, serialize($token));
}
Any feedback is welcome.
Thanks
Mark
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
