Symfony version(s) affected

7.2.3

Description

Hello,

I think I found a bug in how the lazy firewall context determines if the authentication is needed or not. For the bug to happen, you need to:

• Have a lazy firewall
• Have remember me enabled
• Have a user to log in
• Let the session expire
• Have the user go to apublic route (one that does not require authentication)
• Have the user submit a form with POST on that route with CSRF protection enabled

What happens is this:

1. The session is expired so the user is logged out
2. The user goes to the public route with a GET, which refreshes the session with ananonymous session (because no authentication was needed). Crucially, it means that the CSRF token is stored in this anonymous session.
3. The user submits the form with a POST, which causes the lazy firewall context to deem the authentication necessary, which then calls the remember me authenticator, whichmigrates the session andclears the CSRF storage
4. The CSRF validation then fails, forcing the user to resubmit the form

Note that at no point was the authentication necessary, because the route was public.

On the other hand, if the route is private, the GET request will perform the authentication, forcing the session migration sooner, and no problem occurs.

How to reproduce

You can run the testin this repository to reproduce.

Possible Solution

No response

Additional Context

No response