Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Track session usage whenever a new token is set#36335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged

Conversation

@wouterj
Copy link
Member

@wouterjwouterj commentedApr 3, 2020
edited
Loading

QA
Branch?4.4
Bug fix?yes
New feature?no
Deprecations?no
TicketsFix#36208
LicenseMIT
Doc PR-

When usinganonymous: lazy, the programatic login using the guard handler is broken. As thesetToken() does not track usage, the index remains equal.

I tried fixing this more properly in e.g. theSessionStrategy::onAuthentication class, but I couldn't get it working (as$request->hasPreviousSession() returns false, the session strategy isn't called).setToken() can also not be made usage tracking afaics, because it would directly break (setToken(null) is called inContextListener).

The current fix does however look really ugly, but I can't find anything better with my minor knowledge of this session usage tracking feature. I'm open for all ideas :)

@wouterjwouterjforce-pushed thebug-36208/lazy-guard-manual-login branch 2 times, most recently froma7eb8fc toc1e0d9eCompareApril 3, 2020 14:12
@nicolas-grekasnicolas-grekas added this to the4.4 milestoneApr 3, 2020
@nicolas-grekas
Copy link
Member

nicolas-grekas commentedApr 3, 2020
edited
Loading

setToken(null) is called in ContextListener

Can't we make setToken increment the trackerwhen $token is not null?

@wouterj
Copy link
MemberAuthor

wouterj commentedApr 3, 2020
edited
Loading

Can't we make setToken increment the tracker when $token is not null?

I just tried this (as it sounds like a nice solution), but without callinggetToken() theTokenStorage::initializer() isn't called. This meansContextListener isn't called and thus usage tracking is not enabled in theUsageTrackingTokenStorage. So this can be fixed by also injecting thesessionTrackerEnabler inUsageTrackingTokenStorage. Is that preferred? (it seems a bit off, as it's then getting a closure injected call its own method)

AllowingsetToken() to call theinitializer before setting the token would completely remove the lazy feature (assetToken(null) is always called).

@wouterjwouterjforce-pushed thebug-36208/lazy-guard-manual-login branch fromc1e0d9e tofed965aCompareApril 3, 2020 17:04
@wouterjwouterj changed the title[Security][Guard] Force incrementing session usage index upon programatic login[Security] Track session usage whenever a new token is setApr 3, 2020
@wouterjwouterjforce-pushed thebug-36208/lazy-guard-manual-login branch 2 times, most recently from20b8804 tod09adf8CompareApril 3, 2020 17:41
@wouterjwouterjforce-pushed thebug-36208/lazy-guard-manual-login branch fromd09adf8 to8d96dbdCompareApril 3, 2020 17:47
@fabpot
Copy link
Member

Thank you@wouterj.

@fabpotfabpot merged commit38cbcc6 intosymfony:4.4Apr 4, 2020
@wouterjwouterj deleted the bug-36208/lazy-guard-manual-login branchApril 15, 2020 16:34
This was referencedApr 28, 2020
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@fabpotfabpotfabpot approved these changes

@nicolas-grekasnicolas-grekasnicolas-grekas approved these changes

Assignees

No one assigned

Projects

None yet

Milestone

4.4

Development

Successfully merging this pull request may close these issues.

4 participants

@wouterj@nicolas-grekas@fabpot@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp