Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[SecurityBundle] Revert adding_stateless attribute to the request when firewall is stateless and the attribute is not already set#58017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
nicolas-grekas merged 1 commit intosymfony:6.4fromMatTheCat:ticket_50715
Aug 16, 2024

Conversation

@MatTheCat
Copy link
Contributor

@MatTheCatMatTheCat commentedAug 15, 2024
edited
Loading

QA
Branch?6.4
Bug fix?yes
New feature?no
Deprecations?no
IssuesFix#50715
LicenseMIT

#40372 was about routes matching both stateful and stateless firewalls: you couldn’t easily configure them as stateless under a stateless firewall only.

#48044 fixed it by linking these two attributes: a stateless firewall then implied a stateless request. While it can sound logical, this impacted many projects using the session while authenticating users in a stateless fashion.

At last,#49997 allowed to override this behavior by explicitly configuring routes asnot stateless. This kind of proved that#48044 was a mistake: you cannot tell a request must be stateless only because it matches a stateless firewall.

As such, this PR reverts#48044 (and consequently#49997) so that configuring routes as stateless is the developers responsibility alone. It also reopens#40372, but I think this issue should be fixed in an opt-in way (with a newfirewall.stateless.with_routes boolean configuration in the SecurityBundle e.g.).

smnandre, aschempp, WubbleWobble, and andrew-demb reacted with thumbs up emoji
@nicolas-grekas
Copy link
Member

I'd go with a bugfix on my side. The side-effect of reverting this on 6.4 would be that requests won't be marked as stateless anymore for some, and that should be fine since this is just adding a safeguard, isn't it?

@chalasr
Copy link
Member

I agree with reverting this on 6.4.
About re-introducing this but opt-in, after all I don't think we need much more than what we have already with the session usage panel in the profiler. Maybe some kind of more visible warning could be added there or in the toolbar when the session is used under a stateless firewall.

@chalasrchalasr modified the milestones:7.2,6.4Aug 16, 2024
…when firewall is stateless and the attribute is not already set
@MatTheCat
Copy link
ContributorAuthor

MatTheCat commentedAug 16, 2024
edited
Loading

Rebased on 6.4 and updated the description accordingly.

@nicolas-grekas yes the only impact is that you’ll no longer be warned about session usage from a route configured as stateless under a stateless firewall.

@chalasr not sure about what you’re proposing, but I guess that would be another PR anyway!

WubbleWobble reacted with heart emoji

@nicolas-grekasnicolas-grekas changed the base branch from7.2 to6.4August 16, 2024 09:44
@nicolas-grekas
Copy link
Member

Thank you@MatTheCat.

derrabus and aschempp reacted with hooray emoji

@nicolas-grekasnicolas-grekas merged commit643fcae intosymfony:6.4Aug 16, 2024
@MatTheCatMatTheCat deleted the ticket_50715 branchAugust 16, 2024 09:46
javiereguiluz added a commit to symfony/symfony-docs that referenced this pull requestAug 28, 2024
… routes as stateless (MatTheCat)This PR was merged into the 6.4 branch.Discussion----------[Security] Remove note about stateless firewalls marking routes as statelessFollowingsymfony/symfony#58017Commits-------768ef5a [Security] Remove note about stateless firewalls marking routes as stateless
This was referencedAug 30, 2024
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@chalasrchalasrchalasr approved these changes

Assignees

No one assigned

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

Automagically flagging requests as stateless breaks valid session access

4 participants

@MatTheCat@nicolas-grekas@chalasr@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp