Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Security] Fixed persistence of AuthenticationException#15557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
setting things in the session must not be done like this all the time:
- the request may not have a Session in it, which triggers a fatal error in your code
- if the firewall is configured as stateless, nothing should be set in the session even if there is a session
linaori commentedAug 15, 2015
@rpg600 This would only fix the case where the refresh cannot find the user anymore when a I don't think this is what you intended to change. This will also alter the flow in the location where this method is called. Can you add tests to verify this is all working the way you want it to? |
rpg600 commentedAug 15, 2015
@iltar This is exactly my use case, i faced this problem when i configured two providers having the same user class (but this is another issue) and i didn't know where it come from. It can be also useful for auth exceptions thrown by the user land. |
cc21c6c tod6aebb1Comparefabpot commentedJan 25, 2016
What about#12465 instead? |
fabpot commentedMar 22, 2017
probably fixed by#21865 |
During the refresh of an authenticated user the potential AuthenticationException is ignored, now it is persisted in session just like after an authentication failure.