Adding session authentication strategy to Guard to avoid session
fixation
This commit is contained in:
parent
abc802390b
commit
f2e83ba44d
@ -46,6 +46,7 @@ class GuardAuthenticatorHandler
|
|||||||
*/
|
*/
|
||||||
public function authenticateWithToken(TokenInterface $token, Request $request)
|
public function authenticateWithToken(TokenInterface $token, Request $request)
|
||||||
{
|
{
|
||||||
|
$this->migrateSession($request);
|
||||||
$this->tokenStorage->setToken($token);
|
$this->tokenStorage->setToken($token);
|
||||||
|
|
||||||
if (null !== $this->dispatcher) {
|
if (null !== $this->dispatcher) {
|
||||||
@ -127,4 +128,16 @@ class GuardAuthenticatorHandler
|
|||||||
is_object($response) ? get_class($response) : gettype($response)
|
is_object($response) ? get_class($response) : gettype($response)
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private function migrateSession(Request $request)
|
||||||
|
{
|
||||||
|
if (!$request->hasSession() || !$request->hasPreviousSession()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Destroying the old session is broken in php 5.4.0 - 5.4.10
|
||||||
|
// See https://bugs.php.net/63379
|
||||||
|
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
|
||||||
|
$request->getSession()->migrate($destroy);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user