diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2011-11-10 10:54:32 +0100 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2011-11-10 10:54:32 +0100 |
| commit | 6b549aafe281d641b4677e74ca5fcce1bf35b183 (patch) | |
| tree | 44281255da9f0491c9e9c418f9654078f83e387a /Http | |
| parent | 2c9a29530b0b9990bed18329416f336056da27e0 (diff) | |
| parent | b639956e791717ff721418b900bfadc8b22bfb39 (diff) | |
| download | symfony-security-6b549aafe281d641b4677e74ca5fcce1bf35b183.zip symfony-security-6b549aafe281d641b4677e74ca5fcce1bf35b183.tar.gz symfony-security-6b549aafe281d641b4677e74ca5fcce1bf35b183.tar.bz2 | |
merged branch snc/issue-1798 (PR #2528)
Commits
-------
f9befb6 Remove only the security token instead of the session cookie.
348bccb Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798).
Discussion
----------
Fix for issue 1798
Bug fix: yes
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798).
---------------------------------------------------------------------------
by snc at 2011/11/01 04:01:49 -0700
@stof I have changed the code so that it only removes the token... do we still need any hook support?
---------------------------------------------------------------------------
by stof at 2011/11/01 04:07:17 -0700
well, the hook is for your own use case but it would be for 2.1 only anyway, not for 2.0
---------------------------------------------------------------------------
by snc at 2011/11/07 15:11:52 -0800
Now that #2414 is merged to 2.1, this could be simplified for the master branch...
Diffstat (limited to 'Http')
| -rw-r--r-- | Http/Firewall/ExceptionListener.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Http/Firewall/ExceptionListener.php b/Http/Firewall/ExceptionListener.php index a36baf3..1535b9b 100644 --- a/Http/Firewall/ExceptionListener.php +++ b/Http/Firewall/ExceptionListener.php @@ -15,7 +15,9 @@ use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface; use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface; +use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Core\Exception\AccountStatusException; use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\Exception\AccessDeniedException; use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException; @@ -158,6 +160,12 @@ class ExceptionListener $this->setTargetPath($request); + if ($authException instanceof AccountStatusException && ($token = $this->context->getToken()) instanceof UsernamePasswordToken) { + // remove the security token to prevent infinite redirect loops + $this->context->setToken(null); + $request->getSession()->remove('_security_' . $token->getProviderKey()); + } + return $this->authenticationEntryPoint->start($request, $authException); } |