[Security] Prevent canceled remember-me cookie from being accepted
This commit is contained in:
Robin Chalas
parent
4b419f2706
commit
9b711b87fe
@ -33,7 +33,7 @@ class ClearRememberMeTest extends AbstractWebTestCase
|
|||||||
$this->assertNotNull($cookieJar->get('REMEMBERME'));
|
$this->assertNotNull($cookieJar->get('REMEMBERME'));
|
||||||
|
|
||||||
$client->request('GET', '/foo');
|
$client->request('GET', '/foo');
|
||||||
$this->assertSame(200, $client->getResponse()->getStatusCode());
|
$this->assertRedirect($client->getResponse(), '/login');
|
||||||
$this->assertNull($cookieJar->get('REMEMBERME'));
|
$this->assertNull($cookieJar->get('REMEMBERME'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -19,7 +19,7 @@
|
|||||||
"php": "^5.5.9|>=7.0.8",
|
"php": "^5.5.9|>=7.0.8",
|
||||||
"ext-xml": "*",
|
"ext-xml": "*",
|
||||||
"symfony/config": "~3.4|~4.0",
|
"symfony/config": "~3.4|~4.0",
|
||||||
"symfony/security": "~3.4.36|~4.3.9|^4.4.1",
|
"symfony/security": "~3.4.37|~4.3.10|^4.4.3",
|
||||||
"symfony/dependency-injection": "^3.4.3|^4.0.3",
|
"symfony/dependency-injection": "^3.4.3|^4.0.3",
|
||||||
"symfony/http-kernel": "~3.4|~4.0",
|
"symfony/http-kernel": "~3.4|~4.0",
|
||||||
"symfony/polyfill-php70": "~1.0"
|
"symfony/polyfill-php70": "~1.0"
|
||||||
|
|||||||
@ -99,6 +99,10 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
|
|||||||
*/
|
*/
|
||||||
final public function autoLogin(Request $request)
|
final public function autoLogin(Request $request)
|
||||||
{
|
{
|
||||||
|
if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
if (null === $cookie = $request->cookies->get($this->options['name'])) {
|
if (null === $cookie = $request->cookies->get($this->options['name'])) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -39,6 +39,17 @@ class AbstractRememberMeServicesTest extends TestCase
|
|||||||
$this->assertNull($service->autoLogin(new Request()));
|
$this->assertNull($service->autoLogin(new Request()));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testAutoLoginReturnsNullAfterLoginFail()
|
||||||
|
{
|
||||||
|
$service = $this->getService(null, ['name' => 'foo', 'path' => null, 'domain' => null]);
|
||||||
|
|
||||||
|
$request = new Request();
|
||||||
|
$request->cookies->set('foo', 'foo');
|
||||||
|
|
||||||
|
$service->loginFail($request);
|
||||||
|
$this->assertNull($service->autoLogin($request));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @group legacy
|
* @group legacy
|
||||||
*/
|
*/
|
||||||
|
|||||||
Reference in New Issue
Block a user