NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

[Security] Call logout handlers even if token is null#24489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Closed

MatTheCat wants to merge1 commit intosymfony:2.7fromMatTheCat:2.7

Closed

[Security] Call logout handlers even if token is null#24489

MatTheCat wants to merge1 commit intosymfony:2.7fromMatTheCat:2.7

Conversation

Copy link

Contributor

MatTheCat commentedOct 8, 2017•
edited
Loading

Q	A
Branch?	2.7
Bug fix?	yes
New feature?	no
BC breaks?	no
Deprecations?	no
Tests pass?	yes
Fixed tickets	#7104
License	MIT

When listeners are registered inSecurityExtension first ones always areChannelListener,ContextListener (if stateful) andLogoutListener. This means onlyContextListener can set a token to trigger the logout handlers. This means theLogoutListener is useless

if we don't have any token in the session
if the firewall is stateless

As said in#7104 (comment) we cannot register theLogoutListener last so a quick solution is to call the logout handlers wether a token is present or not in which case I pass aDummyToken instead (see#24489 (comment)).

carsonbot added Status: Needs Review Bug labels

Oct 8, 2017

MatTheCat changed the title~~call logout handlers even if token is null~~[Security] call logout handlers even if token is null

Oct 8, 2017

Copy link

Contributor

linaori commentedOct 8, 2017

I'm not entirely sure what the actual issue is, but calling out logout listeners when you don't have a token feels weird

nicolas-grekas added this to the2.7 milestone

Oct 8, 2017

Copy link

ContributorAuthor

MatTheCat commentedOct 8, 2017

The issue is listeners cannot set any token before the logout listener as it is registered before, so it is wrong to call the handlers based on the token being set.

MatTheCat changed the title~~[Security] call logout handlers even if token is null~~[Security] Call logout handlers even if token is null

Oct 9, 2017

Copy link

ContributorAuthor

MatTheCat commentedOct 9, 2017

I edited the PR description, sorry but I was on my phone.

chalasr reviewed

Oct 9, 2017

View reviewed changes

src/Symfony/Component/Security/Http/Logout/CookieClearingLogoutHandler.php Outdated

		* @param TokenInterface\|null $token
		*/
		publicfunctionlogout(Request$request,Response$response,TokenInterface$token)
		publicfunctionlogout(Request$request,Response$response,TokenInterface$token =null)

Copy link

Member

chalasrOct 9, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Changing the signature here is a BC break, same for all other.

Copy link

ContributorAuthor

MatTheCatOct 9, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Right, for applications implementing their own logout handler using$token in a case it is not set. I doubt anyone is concerned and I don't want to wait for Symfony flex (we won't be able to use it anyways) for a bug filed 4 years ago.

Copy link

ContributorAuthor

MatTheCatOct 9, 2017•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

My mistake I didn't realize updating the interface force every implementation to update its signature. So is there any way to fix this before Symfony flex? Maybe by setting a dummy token instead ofnull?