diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding session authentication strategy to Guard to avoid session 

fixation
This commit is contained in:
Ryan Weaver 2018-02-01 08:53:47 -05:00 committed by Fabien Potencier
parent abc802390b
commit f2e83ba44d
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
View File

@ -46,6 +46,7 @@ class GuardAuthenticatorHandler
*/
public function authenticateWithToken(TokenInterface $token, Request $request)
{
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->dispatcher) {
@ -127,4 +128,16 @@ class GuardAuthenticatorHandler
is_object($response) ? get_class($response) : gettype($response)
));
}
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}