Symfony version(s) affected

7.2.0

Description

When a#[Route] is marked asstateless: true and theSameOriginCsrfTokenManager.php configuration is enabled, the stateless check fails because thehasSession(true)condition passes and the code is executed when it shouldn't be. Therefore, the CSRF strategy is persisted in the session (I have acsrf-token with the value1 instead of no value at all).

To make the stateless check pass, I had to modify the following code:

// line 208 of Symfony\Component\Security\Csrf\SameOriginCsrfTokenManager.phppublicfunctionpersistStrategy(Request$request):void    {if ($request->hasSession(true) &&$request->attributes->has($this->cookieName)) {$request->getSession()->set($this->cookieName,$request->attributes->get($this->cookieName));        }    }

to

publicfunctionpersistStrategy(Request$request):void    {if ($request->hasSession(true) &&$request->getSession()->isStarted() &&$request->attributes->has($this->cookieName)) {$request->getSession()->set($this->cookieName,$request->attributes->get($this->cookieName));        }    }

@nicolas-grekas Maybe you wanted to check if the session was started instead of if a Session object exists ?

How to reproduce

Make a route marked as stateless. For instance:

#[Route(    path: ['fr' =>'/se_connecter','en' =>'/login',    ],    name:'login',    stateless:true,)]publicfunctionlogin() {// ...}

And configure the app to use stateless CSRF token (https://symfony.com/blog/new-in-symfony-7-2-stateless-csrf)

Possible Solution

Check if the session is started instead of the session exists to define if a value must be written in the session or not.

Additional Context

No response