diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Security][bugfix] "Remember me" cookie cleared on logout with custom "secure"/"httponly" config options [1]

This commit is contained in:
Dawid Nowak 2015-06-03 01:54:30 +02:00 committed by Fabien Potencier
parent 5607f71079
commit 18b1c6a235
4 changed files with 50 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php
View File

@ -293,7 +293,7 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
$this->logger->debug(sprintf('Clearing remember-me cookie "%s"', $this->options['name']));
}
$request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain']));
$request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly']));
}
/**

32
src/Symfony/Component/Security/Tests/Http/RememberMe/AbstractRememberMeServicesTest.php
View File

@ -82,16 +82,35 @@ class AbstractRememberMeServicesTest extends \PHPUnit_Framework_TestCase
$this->assertSame('fookey', $returnedToken->getProviderKey());
}
public function testLogout()
/**
* @dataProvider provideOptionsForLogout
*/
public function testLogout(array $options)
{
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
$service = $this->getService(null, $options);
$request = new Request();
$response = new Response();
$token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
$service->logout($request, $response, $token);
$this->assertTrue($request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME)->isCleared());
$cookie = $request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME);
$this->assertInstanceOf('Symfony\Component\HttpFoundation\Cookie', $cookie);
$this->assertTrue($cookie->isCleared());
$this->assertSame($options['name'], $cookie->getName());
$this->assertSame($options['path'], $cookie->getPath());
$this->assertSame($options['domain'], $cookie->getDomain());
$this->assertSame($options['secure'], $cookie->isSecure());
$this->assertSame($options['httponly'], $cookie->isHttpOnly());
}
public function provideOptionsForLogout()
{
return array(
array(array('name' => 'foo', 'path' => '/', 'domain' => null, 'secure' => false, 'httponly' => true)),
array(array('name' => 'foo', 'path' => '/bar', 'domain' => 'baz.com', 'secure' => true, 'httponly' => false)),
);
}
public function testLoginFail()
@ -267,6 +286,13 @@ class AbstractRememberMeServicesTest extends \PHPUnit_Framework_TestCase
$userProvider = $this->getProvider();
}
if (!isset($options['secure'])) {
$options['secure'] = false;
}
if (!isset($options['httponly'])) {
$options['httponly'] = true;
}
return $this->getMockForAbstractClass('Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices', array(
array($userProvider), 'fookey', 'fookey', $options, $logger,
));

11
src/Symfony/Component/Security/Tests/Http/RememberMe/PersistentTokenBasedRememberMeServicesTest.php
View File

@ -180,7 +180,7 @@ class PersistentTokenBasedRememberMeServicesTest extends \PHPUnit_Framework_Test
public function testLogout()
{
$service = $this->getService(null, array('name' => 'foo', 'path' => '/foo', 'domain' => 'foodomain.foo'));
$service = $this->getService(null, array('name' => 'foo', 'path' => '/foo', 'domain' => 'foodomain.foo', 'secure' => true, 'httponly' => false));
$request = new Request();
$request->cookies->set('foo', $this->encodeCookie(array('fooseries', 'foovalue')));
$response = new Response();
@ -201,6 +201,8 @@ class PersistentTokenBasedRememberMeServicesTest extends \PHPUnit_Framework_Test
$this->assertTrue($cookie->isCleared());
$this->assertEquals('/foo', $cookie->getPath());
$this->assertEquals('foodomain.foo', $cookie->getDomain());
$this->assertTrue($cookie->isSecure());
$this->assertFalse($cookie->isHttpOnly());
}
public function testLogoutSimplyIgnoresNonSetRequestCookie()
@ -311,6 +313,13 @@ class PersistentTokenBasedRememberMeServicesTest extends \PHPUnit_Framework_Test
$userProvider = $this->getProvider();
}
if (!isset($options['secure'])) {
$options['secure'] = false;
}
if (!isset($options['httponly'])) {
$options['httponly'] = true;
}
return new PersistentTokenBasedRememberMeServices(array($userProvider), 'fookey', 'fookey', $options, $logger, new SecureRandom(sys_get_temp_dir().'/_sf2.seed'));
}

11
src/Symfony/Component/Security/Tests/Http/RememberMe/TokenBasedRememberMeServicesTest.php
View File

@ -153,7 +153,7 @@ class TokenBasedRememberMeServicesTest extends \PHPUnit_Framework_TestCase
public function testLogout()
{
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null, 'secure' => true, 'httponly' => false));
$request = new Request();
$response = new Response();
$token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
@ -164,6 +164,8 @@ class TokenBasedRememberMeServicesTest extends \PHPUnit_Framework_TestCase
$this->assertTrue($cookie->isCleared());
$this->assertEquals('/', $cookie->getPath());
$this->assertNull($cookie->getDomain());
$this->assertTrue($cookie->isSecure());
$this->assertFalse($cookie->isHttpOnly());
}
public function testLoginFail()
@ -264,6 +266,13 @@ class TokenBasedRememberMeServicesTest extends \PHPUnit_Framework_TestCase
$userProvider = $this->getProvider();
}
if (!isset($options['secure'])) {
$options['secure'] = false;
}
if (!isset($options['httponly'])) {
$options['httponly'] = true;
}
$service = new TokenBasedRememberMeServices(array($userProvider), 'fookey', 'fookey', $options, $logger);
return $service;