Commit18b1c6a

MacDada

authored and

fabpot

committed

[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]

1 parent5607f71 commit18b1c6aCopy full SHA for 18b1c6a

File tree

4 files changed

+50

-6

lines changed

src/Symfony/Component/Security
- Http/RememberMe
  - AbstractRememberMeServices.php
- Tests/Http/RememberMe

4 files changed

+50

-6

lines changed

`‎src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -293,7 +293,7 @@ protected function cancelCookie(Request $request)`
`293`	`293`	`$this->logger->debug(sprintf('Clearing remember-me cookie "%s"',$this->options['name']));`
`294`	`294`	`}`
`295`	`295`
`296`		`-$request->attributes->set(self::COOKIE_ATTR_NAME,newCookie($this->options['name'],null,1,$this->options['path'],$this->options['domain']));`
	`296`	`+$request->attributes->set(self::COOKIE_ATTR_NAME,newCookie($this->options['name'],null,1,$this->options['path'],$this->options['domain'],$this->options['secure'],$this->options['httponly']));`
`297`	`297`	`}`
`298`	`298`
`299`	`299`	`/**`

`‎src/Symfony/Component/Security/Tests/Http/RememberMe/AbstractRememberMeServicesTest.php‎`

Lines changed: 29 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,16 +82,35 @@ public function testAutoLogin()`
`82`	`82`	`$this->assertSame('fookey',$returnedToken->getProviderKey());`
`83`	`83`	`}`
`84`	`84`
`85`		`-publicfunctiontestLogout()`
	`85`	`+/**`
	`86`	`+ * @dataProvider provideOptionsForLogout`
	`87`	`+ */`
	`88`	`+publicfunctiontestLogout(array$options)`
`86`	`89`	`{`
`87`		`-$service =$this->getService(null,array('name' =>'foo','path' =>null,'domain' =>null));`
	`90`	`+$service =$this->getService(null,$options);`
`88`	`91`	`$request =newRequest();`
`89`	`92`	`$response =newResponse();`
`90`	`93`	`$token =$this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');`
`91`	`94`
`92`	`95`	`$service->logout($request,$response,$token);`
`93`	`96`
`94`		`-$this->assertTrue($request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME)->isCleared());`
	`97`	`+$cookie =$request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME);`
	`98`	`+`
	`99`	`+$this->assertInstanceOf('Symfony\Component\HttpFoundation\Cookie',$cookie);`
	`100`	`+$this->assertTrue($cookie->isCleared());`
	`101`	`+$this->assertSame($options['name'],$cookie->getName());`
	`102`	`+$this->assertSame($options['path'],$cookie->getPath());`
	`103`	`+$this->assertSame($options['domain'],$cookie->getDomain());`
	`104`	`+$this->assertSame($options['secure'],$cookie->isSecure());`
	`105`	`+$this->assertSame($options['httponly'],$cookie->isHttpOnly());`
	`106`	`+ }`
	`107`	`+`
	`108`	`+publicfunctionprovideOptionsForLogout()`
	`109`	`+ {`
	`110`	`+returnarray(`
	`111`	`+array(array('name' =>'foo','path' =>'/','domain' =>null,'secure' =>false,'httponly' =>true)),`
	`112`	`+array(array('name' =>'foo','path' =>'/bar','domain' =>'baz.com','secure' =>true,'httponly' =>false)),`
	`113`	`+ );`
`95`	`114`	`}`
`96`	`115`
`97`	`116`	`publicfunctiontestLoginFail()`
`@@ -267,6 +286,13 @@ protected function getService($userProvider = null, $options = array(), $logger`
`267`	`286`	`$userProvider =$this->getProvider();`
`268`	`287`	`}`
`269`	`288`
	`289`	`+if (!isset($options['secure'])) {`
	`290`	`+$options['secure'] =false;`
	`291`	`+ }`
	`292`	`+if (!isset($options['httponly'])) {`
	`293`	`+$options['httponly'] =true;`
	`294`	`+ }`
	`295`	`+`
`270`	`296`	`return$this->getMockForAbstractClass('Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices',array(`
`271`	`297`	`array($userProvider),'fookey','fookey',$options,$logger,`
`272`	`298`	`));`

`‎src/Symfony/Component/Security/Tests/Http/RememberMe/PersistentTokenBasedRememberMeServicesTest.php‎`

Lines changed: 10 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,7 @@ public function testAutoLogin()`
`180`	`180`
`181`	`181`	`publicfunctiontestLogout()`
`182`	`182`	`{`
`183`		`-$service =$this->getService(null,array('name' =>'foo','path' =>'/foo','domain' =>'foodomain.foo'));`
	`183`	`+$service =$this->getService(null,array('name' =>'foo','path' =>'/foo','domain' =>'foodomain.foo','secure' =>true,'httponly' =>false));`
`184`	`184`	`$request =newRequest();`
`185`	`185`	`$request->cookies->set('foo',$this->encodeCookie(array('fooseries','foovalue')));`
`186`	`186`	`$response =newResponse();`
`@@ -201,6 +201,8 @@ public function testLogout()`
`201`	`201`	`$this->assertTrue($cookie->isCleared());`
`202`	`202`	`$this->assertEquals('/foo',$cookie->getPath());`
`203`	`203`	`$this->assertEquals('foodomain.foo',$cookie->getDomain());`
	`204`	`+$this->assertTrue($cookie->isSecure());`
	`205`	`+$this->assertFalse($cookie->isHttpOnly());`
`204`	`206`	`}`
`205`	`207`
`206`	`208`	`publicfunctiontestLogoutSimplyIgnoresNonSetRequestCookie()`
`@@ -311,6 +313,13 @@ protected function getService($userProvider = null, $options = array(), $logger`
`311`	`313`	`$userProvider =$this->getProvider();`
`312`	`314`	`}`
`313`	`315`
	`316`	`+if (!isset($options['secure'])) {`
	`317`	`+$options['secure'] =false;`
	`318`	`+ }`
	`319`	`+if (!isset($options['httponly'])) {`
	`320`	`+$options['httponly'] =true;`
	`321`	`+ }`
	`322`	`+`
`314`	`323`	`returnnewPersistentTokenBasedRememberMeServices(array($userProvider),'fookey','fookey',$options,$logger,newSecureRandom(sys_get_temp_dir().'/_sf2.seed'));`
`315`	`324`	`}`
`316`	`325`

`‎src/Symfony/Component/Security/Tests/Http/RememberMe/TokenBasedRememberMeServicesTest.php‎`

Lines changed: 10 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ public function provideUsernamesForAutoLogin()`
`153`	`153`
`154`	`154`	`publicfunctiontestLogout()`
`155`	`155`	`{`
`156`		`-$service =$this->getService(null,array('name' =>'foo','path' =>null,'domain' =>null));`
	`156`	`+$service =$this->getService(null,array('name' =>'foo','path' =>null,'domain' =>null,'secure' =>true,'httponly' =>false));`
`157`	`157`	`$request =newRequest();`
`158`	`158`	`$response =newResponse();`
`159`	`159`	`$token =$this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');`
`@@ -164,6 +164,8 @@ public function testLogout()`
`164`	`164`	`$this->assertTrue($cookie->isCleared());`
`165`	`165`	`$this->assertEquals('/',$cookie->getPath());`
`166`	`166`	`$this->assertNull($cookie->getDomain());`
	`167`	`+$this->assertTrue($cookie->isSecure());`
	`168`	`+$this->assertFalse($cookie->isHttpOnly());`
`167`	`169`	`}`
`168`	`170`
`169`	`171`	`publicfunctiontestLoginFail()`
`@@ -264,6 +266,13 @@ protected function getService($userProvider = null, $options = array(), $logger`
`264`	`266`	`$userProvider =$this->getProvider();`
`265`	`267`	`}`
`266`	`268`
	`269`	`+if (!isset($options['secure'])) {`
	`270`	`+$options['secure'] =false;`
	`271`	`+ }`
	`272`	`+if (!isset($options['httponly'])) {`
	`273`	`+$options['httponly'] =true;`
	`274`	`+ }`
	`275`	`+`
`267`	`276`	`$service =newTokenBasedRememberMeServices(array($userProvider),'fookey','fookey',$options,$logger);`
`268`	`277`
`269`	`278`	`return$service;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit18b1c6a

File tree

4 files changed

4 files changed

`‎src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php‎`

`‎src/Symfony/Component/Security/Tests/Http/RememberMe/AbstractRememberMeServicesTest.php‎`

`‎src/Symfony/Component/Security/Tests/Http/RememberMe/PersistentTokenBasedRememberMeServicesTest.php‎`

`‎src/Symfony/Component/Security/Tests/Http/RememberMe/TokenBasedRememberMeServicesTest.php‎`

0 commit comments