Hello devs - I wanted to verify this as a bug before submitting a pull
request.
Within a Session, there doesn't seem to be a way to terminate a Token aside
from completely invalidating the Session. During a particular request the
Token can be removed, but the removal will never make it into the actual
SessionStorage for the next request. I tracked the behavior down to
ContextListener->onKernelResponse which only touches the Session if a token
is present.
if (null === $token = $this->context->getToken()) {
return;
}
if (null === $token || $token instanceof AnonymousToken) {
return;
}
$event->getRequest()->getSession()->set('_security_'.$this->contextKey,
serialize($token));
The only other workaround that I see is to invalidate the session like the
SessionLogoutHandler, but that doesn't seem appropriate if the rest of the
session data can be kept intact. My solution is to always remove the
security key from the session if the token is unused.
$session = $event->getRequest()->getSession();
if ((null === $token = $this->context->getToken()) || ($token instanceof
AnonymousToken)) {
$session->remove('_security_'.$this->contextKey);
} else {
$session->set('_security_'.$this->contextKey, serialize($token));
}
The ContextListener doesn't have any tests to prove either way, and the
current logic has been around since the file was originally committed in
HttpKernel. My above solution and unit test are at
https://github.com/dpb587/symfony/commit/dabff0e4d50aae778a71f2a951d6428abdaf7021
.
If anybody has insight to confirm what's expected or what a more appropriate
solution/workaround is, I'd appreciate it. Thanks for your time!
Danny
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
