Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Security] Fix clearing remember-me cookie after deauthentication#34671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
18ca151 to1f57f19Comparefb29008 to1ab423fComparefabpot commentedNov 30, 2019
Thank you@chalasr. |
…ication (chalasr)This PR was merged into the 3.4 branch.Discussion----------[Security] Fix clearing remember-me cookie after deauthentication| Q | A| ------------- | ---| Branch? | 3.4| Bug fix? | yes| New feature? | no| Deprecations? | no| Tickets |Fix#26379| License | MIT| Doc PR | -If you are using the `remember_me` listener and the refreshed user is deauthenticated, you are still logged in because the remember-me cookie does not get cleared.This fixes it.Commits-------d625a73 [Security] Fix clearing remember-me cookie after deauthentication
| thrownewInvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.',$id,$firewall[$key]['provider'])); | ||
| } | ||
| $userProvider =$providerIds[$normalizedName]; | ||
| }elseif ('remember_me' ===$key) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Careful when merging up: this condition also includesanonymous === $key as of 4.4, it needs to be split so that this applies only to remember_me.
| always_remember_me:true | ||
| secret:key | ||
| anonymous:~ | ||
| logout_on_user_change:true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
to be removed starting from 4.3
gondo commentedDec 2, 2019 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
this broke my application. can't login anymore, I am being redirected to login page even with correct credentials. downgrading to SF |
chalasr commentedDec 2, 2019
@gondo please open an issue with enough information to reproduce |
If you are using the
remember_melistener and the refreshed user is deauthenticated, you are still logged in because the remember-me cookie does not get cleared.This fixes it.