[Security] Prevent canceled remember-me cookie from being accepted
This commit is contained in:
Robin Chalas
parent
4b419f2706
commit
9b711b87fe
|
|
@ -33,7 +33,7 @@ class ClearRememberMeTest extends AbstractWebTestCase
|
|||
$this->assertNotNull($cookieJar->get('REMEMBERME'));
|
||||
|
||||
$client->request('GET', '/foo');
|
||||
$this->assertSame(200, $client->getResponse()->getStatusCode());
|
||||
$this->assertRedirect($client->getResponse(), '/login');
|
||||
$this->assertNull($cookieJar->get('REMEMBERME'));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
"php": "^5.5.9|>=7.0.8",
|
||||
"ext-xml": "*",
|
||||
"symfony/config": "~3.4|~4.0",
|
||||
"symfony/security": "~3.4.36|~4.3.9|^4.4.1",
|
||||
"symfony/security": "~3.4.37|~4.3.10|^4.4.3",
|
||||
"symfony/dependency-injection": "^3.4.3|^4.0.3",
|
||||
"symfony/http-kernel": "~3.4|~4.0",
|
||||
"symfony/polyfill-php70": "~1.0"
|
||||
|
|
|
|||
|
|
@ -99,6 +99,10 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
|
|||
*/
|
||||
final public function autoLogin(Request $request)
|
||||
{
|
||||
if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (null === $cookie = $request->cookies->get($this->options['name'])) {
|
||||
return null;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,6 +39,17 @@ class AbstractRememberMeServicesTest extends TestCase
|
|||
$this->assertNull($service->autoLogin(new Request()));
|
||||
}
|
||||
|
||||
public function testAutoLoginReturnsNullAfterLoginFail()
|
||||
{
|
||||
$service = $this->getService(null, ['name' => 'foo', 'path' => null, 'domain' => null]);
|
||||
|
||||
$request = new Request();
|
||||
$request->cookies->set('foo', 'foo');
|
||||
|
||||
$service->loginFail($request);
|
||||
$this->assertNull($service->autoLogin($request));
|
||||
}
|
||||
|
||||
/**
|
||||
* @group legacy
|
||||
*/
|
||||
|
|
|
|||
Reference in New Issue