Currently, when an AuthenticationListener attempts to authenticate an user and that call fails, the onFailure method is called and the current token is set to null (see AbstractAuthenticationListener.php<https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php#L192> ).
This prevents the current existing token to remain active, even if it's valid, which in turn does not allow one to use a concept of upgrading a token. After a quick look at the Spring source code to compare implementations, I've noticed that the AbstractAuthenticationProcessingFilter<https://github.com/SpringSource/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java#L337>.php does something similar. The user story goes like this: - An user visits *http://example.com* and is redirected to the firewall entry point at */welcome* - a page with a form to fill in with some data (e.g. nationality). - The form is validated and, if valid, a token similar to *AnonymousToken * is issued - e.g. *EntryToken* - any user with this token can visit any page. - The user wants to check his profile. He visits */login* to enter his username and password. The form is submitted and the password is wrong. - The user is now taken to the entry point since the *EntryToken* was replaced by an *AnonymousToken* instead. - Had the password been correct, an *UsernamePasswordToken* would have been issued instead. This can be worked around in many different ways but after pinging @schmittjoh about it, I think it might be worth discussing - is clearing the context really necessary? What other effective ways are there to achieve the same goal without creating such constraints? Thanks for your time, -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
