Merge branch '2.0'

* 2.0:
  Added a class to the logs ol element to prevent hiding it when toggling an exception (fixes #2589).
  Remove only the security token instead of the session cookie.
  Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798).

1 files changed, 8 insertions, 0 deletions

diff --git a/Http/Firewall/ExceptionListener.php b/Http/Firewall/ExceptionListener.php
index a36baf3..1535b9b 100644
--- a/Http/Firewall/ExceptionListener.php
+++ b/Http/Firewall/ExceptionListener.php
@@ -15,7 +15,9 @@ use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Core\Exception\AccountStatusException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
@@ -158,6 +160,12 @@ class ExceptionListener
 
         $this->setTargetPath($request);
 
+        if ($authException instanceof AccountStatusException && ($token = $this->context->getToken()) instanceof UsernamePasswordToken) {
+            // remove the security token to prevent infinite redirect loops
+            $this->context->setToken(null);
+            $request->getSession()->remove('_security_' . $token->getProviderKey());
+        }
+
         return $this->authenticationEntryPoint->start($request, $authException);
     }