8000 bug #40537 [Security] Handle properly 'auto' option for remember me c… · symfony/symfony@9a8e2c2 · GitHub
[go: up one dir, main page]
Skip to content

Commit 9a8e2c2

Browse files
nicolas-grekasnicolas-grekas
committed
bug #40537 [Security] Handle properly 'auto' option for remember me cookie security (fliespl)
This PR was merged into the 4.4 branch. Discussion ---------- [Security] Handle properly 'auto' option for remember me cookie security | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #40471 | License | MIT | Doc PR | n/a Manually setting remember_me cookie secure as auto is still is being set as secure one even if used over http. This PR fixes this behaviour by converting auto to null prior setting it up for service. Commits ------- 2bcf69c [Security] Handle properly 'auto' option for remember me cookie security
2 parents 7eb4db6 + 2bcf69c commit 9a8e2c2

File tree

5 files changed

+75
-1
lines changed

5 files changed

+75
-1
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,12 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
6969
}
7070

7171
// remember-me options
72-
$rememberMeServices->replaceArgument(3, array_intersect_key($config, $this->options));
72+
$mergedOptions = array_intersect_key($config, $this->options);
73+
if ('auto' === $mergedOptions['secure']) {
74+
$mergedOptions['secure'] = null;
75+
}
76+
77+
$rememberMeServices->replaceArgument(3, $mergedOptions);
7378

7479
// attach to remember-me aware listeners
7580
$userProviders = [];

src/Symfony/Bundle/SecurityBundle/Tests/Functional/RememberMeCookieTest.php

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
<?php
2+
3+
namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
4+
5+
use Symfony\Component\HttpFoundation\ResponseHeaderBag;
6+
7+
class RememberMeCookieTest extends AbstractWebTestCase
8+
{
9+
/** @dataProvider getSessionRememberMeSecureCookieFlagAutoHttpsMap */
10+
public function testSessionRememberMeSecureCookieFlagAuto($https, $expectedSecureFlag)
11+
{
12+
$client = $this->createClient(['test_case' => 'RememberMeCookie', 'root_config' => 'config.yml']);
13+
14+
$client->request('POST', '/login', [
15+
'_username' => 'test',
16+
'_password' => 'test',
17+
], [], [
18+
'HTTPS' => (int) $https,
19+
]);
20+
21+
$cookies = $client->getResponse()->headers->getCookies(ResponseHeaderBag::COOKIES_ARRAY);
22+
23+
$this->assertEquals($expectedSecureFlag, $cookies['']['/']['REMEMBERME']->isSecure());
24+
}
25+
26+
public function getSessionRememberMeSecureCookieFlagAutoHttpsMap()
27+
{
28+
return [
29+
[true, true],
30+
[false, false],
31+
];
32+
}
33+
}

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeCookie/bundles.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
<?php
2+
3+
use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
4+
use Symfony\Bundle\SecurityBundle\SecurityBundle;
5+
6+
return [
7+
new FrameworkBundle(),
8+
new SecurityBundle(),
9+
];

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeCookie/config.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
imports:
2+
- { resource: ./../config/framework.yml }
3+
4+
security:
5+
encoders:
6+
Symfony\Component\Security\Core\User\User: plaintext
7+
8+
providers:
9+
in_memory:
10+
memory:
11+
users:
12+
test: { password: test, roles: [ROLE_USER] }
13+
14+
firewalls:
15+
default:
16+
form_login:
17+
check_path: login
18+
remember_me: true
19+
require_previous_session: false
20+
remember_me:
21+
always_remember_me: true
22+
secret: key
23+
secure: auto
24+
logout: ~
25+
anonymous: ~

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeCookie/routing.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
login:
2+
path: /login

0 commit comments

Comments
 (0)
0