[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]
This commit is contained in:
parent
5607f71079
commit
18b1c6a235
|
@ -293,7 +293,7 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
|
|||
$this->logger->debug(sprintf('Clearing remember-me cookie "%s"', $this->options['name']));
|
||||
}
|
||||
|
||||
$request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain']));
|
||||
$request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -82,16 +82,35 @@ class AbstractRememberMeServicesTest extends \PHPUnit_Framework_TestCase
|
|||
$this->assertSame('fookey', $returnedToken->getProviderKey());
|
||||
}
|
||||
|
||||
public function testLogout()
|
||||
/**
|
||||
* @dataProvider provideOptionsForLogout
|
||||
*/
|
||||
public function testLogout(array $options)
|
||||
{
|
||||
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
|
||||
$service = $this->getService(null, $options);
|
||||
$request = new Request();
|
||||
$response = new Response();
|
||||
$token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
|
||||
|
||||
$service->logout($request, $response, $token);
|
||||
|
||||
$this->assertTrue($request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME)->isCleared());
|
||||
$cookie = $request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME);
|
||||
|
||||
$this->assertInstanceOf('Symfony\Component\HttpFoundation\Cookie', $cookie);
|
||||
$this->assertTrue($cookie->isCleared());
|
||||
$this->assertSame($options['name'], $cookie->getName());
|
||||
$this->assertSame($options['path'], $cookie->getPath());
|
||||
$this->assertSame($options['domain'], $cookie->getDomain());
|
||||
$this->assertSame($options['secure'], $cookie->isSecure());
|
||||
$this->assertSame($options['httponly'], $cookie->isHttpOnly());
|
||||
}
|
||||
|
||||
public function provideOptionsForLogout()
|
||||
{
|
||||
return array(
|
||||
array(array('name' => 'foo', 'path' => '/', 'domain' => null, 'secure' => false, 'httponly' => true)),
|
||||
array(array('name' => 'foo', 'path' => '/bar', 'domain' => 'baz.com', 'secure' => true, 'httponly' => false)),
|
||||
);
|
||||
}
|
||||
|
||||
public function testLoginFail()
|
||||
|
@ -267,6 +286,13 @@ class AbstractRememberMeServicesTest extends \PHPUnit_Framework_TestCase
|
|||
$userProvider = $this->getProvider();
|
||||
}
|
||||
|
||||
if (!isset($options['secure'])) {
|
||||
$options['secure'] = false;
|
||||
}
|
||||
if (!isset($options['httponly'])) {
|
||||
$options['httponly'] = true;
|
||||
}
|
||||
|
||||
return $this->getMockForAbstractClass('Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices', array(
|
||||
array($userProvider), 'fookey', 'fookey', $options, $logger,
|
||||
));
|
||||
|
|
|
@ -180,7 +180,7 @@ class PersistentTokenBasedRememberMeServicesTest extends \PHPUnit_Framework_Test
|
|||
|
||||
public function testLogout()
|
||||
{
|
||||
$service = $this->getService(null, array('name' => 'foo', 'path' => '/foo', 'domain' => 'foodomain.foo'));
|
||||
$service = $this->getService(null, array('name' => 'foo', 'path' => '/foo', 'domain' => 'foodomain.foo', 'secure' => true, 'httponly' => false));
|
||||
$request = new Request();
|
||||
$request->cookies->set('foo', $this->encodeCookie(array('fooseries', 'foovalue')));
|
||||
$response = new Response();
|
||||
|
@ -201,6 +201,8 @@ class PersistentTokenBasedRememberMeServicesTest extends \PHPUnit_Framework_Test
|
|||
$this->assertTrue($cookie->isCleared());
|
||||
$this->assertEquals('/foo', $cookie->getPath());
|
||||
$this->assertEquals('foodomain.foo', $cookie->getDomain());
|
||||
$this->assertTrue($cookie->isSecure());
|
||||
$this->assertFalse($cookie->isHttpOnly());
|
||||
}
|
||||
|
||||
public function testLogoutSimplyIgnoresNonSetRequestCookie()
|
||||
|
@ -311,6 +313,13 @@ class PersistentTokenBasedRememberMeServicesTest extends \PHPUnit_Framework_Test
|
|||
$userProvider = $this->getProvider();
|
||||
}
|
||||
|
||||
if (!isset($options['secure'])) {
|
||||
$options['secure'] = false;
|
||||
}
|
||||
if (!isset($options['httponly'])) {
|
||||
$options['httponly'] = true;
|
||||
}
|
||||
|
||||
return new PersistentTokenBasedRememberMeServices(array($userProvider), 'fookey', 'fookey', $options, $logger, new SecureRandom(sys_get_temp_dir().'/_sf2.seed'));
|
||||
}
|
||||
|
||||
|
|
|
@ -153,7 +153,7 @@ class TokenBasedRememberMeServicesTest extends \PHPUnit_Framework_TestCase
|
|||
|
||||
public function testLogout()
|
||||
{
|
||||
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
|
||||
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null, 'secure' => true, 'httponly' => false));
|
||||
$request = new Request();
|
||||
$response = new Response();
|
||||
$token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
|
||||
|
@ -164,6 +164,8 @@ class TokenBasedRememberMeServicesTest extends \PHPUnit_Framework_TestCase
|
|||
$this->assertTrue($cookie->isCleared());
|
||||
$this->assertEquals('/', $cookie->getPath());
|
||||
$this->assertNull($cookie->getDomain());
|
||||
$this->assertTrue($cookie->isSecure());
|
||||
$this->assertFalse($cookie->isHttpOnly());
|
||||
}
|
||||
|
||||
public function testLoginFail()
|
||||
|
@ -264,6 +266,13 @@ class TokenBasedRememberMeServicesTest extends \PHPUnit_Framework_TestCase
|
|||
$userProvider = $this->getProvider();
|
||||
}
|
||||
|
||||
if (!isset($options['secure'])) {
|
||||
$options['secure'] = false;
|
||||
}
|
||||
if (!isset($options['httponly'])) {
|
||||
$options['httponly'] = true;
|
||||
}
|
||||
|
||||
$service = new TokenBasedRememberMeServices(array($userProvider), 'fookey', 'fookey', $options, $logger);
|
||||
|
||||
return $service;
|
||||
|
|
Reference in New Issue