Hi again Ryan, Just wondered if you or anyone else had any further thoughts on this? Am checking the lowest level thing for access; IS_AUTHENTICATED_REMEMBERED
And once remembered the user hits a page they don't have access to, but they are still asked to login, rather than being told they are access denied which would be right. Any ideas? Many thanks, Chris Sedlmayr On Friday, April 27, 2012 8:28:41 PM UTC+1, Chris Sedlmayr wrote: > > Hi Ryan, > > Yes I see your point, any it may be the behaviour that is intended, but I > don't think it's what we should really do as it doesn't make sense to me. > > Look at it like this; > > A user comes to the site, and through the remember me cookie, they are > authenticated based on their previous login. > The page they are accessing happens to be one they do not have access to, > maybe their roles have changed since they last were on the site, maybe > something else has changed, but whatever the reason, the user itself has > not changed, and is authenticated. > Therefore, they should be presented with an access denied status code and > be logged in still ,rather than not being logged in and being shown a login > form. > > > Does my explanation make sense? > > > Thanks, > Chris > -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
