security #cve-2018-11385 migrating session for UsernamePasswordJsonAuthenticationListener
* cve-2018-11385-3.4: migrating session for UsernamePasswordJsonAuthenticationListener
This commit is contained in:
commit
194caff28b
@ -139,6 +139,8 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
|
||||
$this->logger->info('User has been authenticated successfully.', array('username' => $token->getUsername()));
|
||||
}
|
||||
|
||||
$this->migrateSession($request);
|
||||
|
||||
$this->tokenStorage->setToken($token);
|
||||
|
||||
if (null !== $this->eventDispatcher) {
|
||||
@ -182,4 +184,15 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
private function migrateSession(Request $request)
|
||||
{
|
||||
if (!$request->hasSession() || !$request->hasPreviousSession()) {
|
||||
return;
|
||||
}
|
||||
// Destroying the old session is broken in php 5.4.0 - 5.4.10
|
||||
// See https://bugs.php.net/63379
|
||||
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
|
||||
$request->getSession()->migrate($destroy);
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user