8000 merged branch TerjeBr/persistent-token-provider (PR #6055) · symfony/symfony@d5ff238 · GitHub
[go: up one dir, main page]
Skip to content

Commit d5ff238

Browse files
fabpotfabpot
committed
merged branch TerjeBr/persistent-token-provider (PR #6055)
This PR was merged into the master branch. Commits ------- d1b5093 Try to make sure cookies get deleted from the TokenProvider when no longer in use Discussion ---------- Delete cookies from the TokenProvider that is no longer in use Bug fix: yes Feature addition: no Backwards compatibility break: no Symfony2 tests pass: yes Todo: - License of the code: MIT When the user logs in, or login fails for some reason, the old "remember me" cookie should be deleted from the TokenProvider if you are using the PersistentTokenBasedRememberMeServices. As the code is now, the token is only deleted on logout. --------------------------------------------------------------------------- by TerjeBr at 2012-11-20T13:45:54Z So, anything else that needs to be done before this is merged? --------------------------------------------------------------------------- by TerjeBr at 2012-11-21T10:30:53Z Ok, I have corrected the typo in the comment and squashed the commit. --------------------------------------------------------------------------- by schmittjoh at 2012-11-21T10:36:29Z btw, ``canceled`` (more American) and ``cancelled`` (more British) are both correct English forms. On Wed, Nov 21, 2012 at 11:30 AM, Terje Bråten <notifications@github.com>wrote: > Ok, I have corrected the typo in the comment and squashed the commit. > > — > Reply to this email directly or view it on GitHub<#6055 (comment)>. > > --------------------------------------------------------------------------- by schmittjoh at 2012-11-21T10:40:24Z As a side-note have you verified that this does not break the cookie theft protection? --------------------------------------------------------------------------- by TerjeBr at 2012-11-21T10:51:10Z Yes, cookie theft protection is still there and is functioning well. --------------------------------------------------------------------------- by TerjeBr at 2012-11-21T11:14:04Z I am using this together with the DoctrineTokenProvider in issue #6057 in my own project and done some extensive testing on it. --------------------------------------------------------------------------- by TerjeBr at 2012-11-23T10:30:34Z Is this ready to be merged now?
2 parents c8ebc1e + d1b5093 commit d5ff238

File tree

4 files changed

+17
-13
lines changed

4 files changed

+17
-13
lines changed

src/Symfony/Component/Security/Http/RememberMe/AbstractRememberMeServices.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,9 @@ final public function loginFail(Request $request)
172172
*/
173173
final public function loginSuccess(Request $request, Response $response, TokenInterface $token)
174174
{
175+
// Make sure any old remember-me cookies are cancelled
176+
$this->cancelCookie($request);
177+
175178
if (!$token->getUser() instanceof UserInterface) {
176179
if (null !== $this->logger) {
177180
$this->logger->debug('Remember-me ignores token since it does not contain a UserInterface implementation.');

src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -63,10 +63,12 @@ public function setTokenProvider(TokenProviderInterface $tokenProvider)
6363
/**
6464
* {@inheritDoc}
6565
*/
66-
public function logout(Request $request, Response $response, TokenInterface $token)
66+
protected function cancelCookie(Request $request)
6767
{
68-
parent::logout($request, $response, $token);
68+
// Delete cookie on the client
69+
parent::cancelCookie($request);
6970

71+
// Delete cookie from the tokenProvider
7072
if (null !== ($cookie = $request->cookies->get($this->options['name']))
7173
&& count($parts = $this->decodeCookie($cookie)) === 2
7274
) {
@@ -88,8 +90,6 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
8890
$persistentToken = $this->tokenProvider->loadTokenBySeries($series);
8991

9092
if ($persistentToken->getTokenValue() !== $tokenValue) {
91-
$this->tokenProvider->deleteTokenBySeries($series);
92-
9393
throw new CookieTheftException('This token was already used. The account is possibly compromised.');
9494
}
9595

@@ -133,6 +133,7 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
133133
)
134134
);
135135

136+
$request->attributes->remove(self::COOKIE_ATTR_NAME);
136137
$response->headers->setCookie(
137138
new Cookie(
138139
$this->options['name'],

src/Symfony/Component/Security/Tests/Http/RememberMe/AbstractRememberMeServicesTest.php

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ public function testGetKey()
3939

4040
public function testAutoLoginReturnsNullWhenNoCookie()
4141
{
42-
$service = $this->getService(null, array('name' => 'foo'));
42+
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
4343

4444
$this->assertNull($service->autoLogin(new Request()));
4545
}
@@ -49,7 +49,7 @@ public function testAutoLoginReturnsNullWhenNoCookie()
4949
*/
5050
public function testAutoLoginThrowsExceptionWhenImplementationDoesNotReturnUserInterface()
5151
{
52-
$service = $this->getService(null, array('name' => 'foo'));
52+
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
5353
$request = new Request;
5454
$request->cookies->set('foo', 'foo');
5555

@@ -64,7 +64,7 @@ public function testAutoLoginThrowsExceptionWhenImplementationDoesNotReturnUserI
6464

6565
public function testAutoLogin()
6666
{
67-
$service = $this->getService(null, array('name' => 'foo'));
67+
$service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));
6868
$request = new Request();
6969
$request->cookies->set('foo', 'foo');
7070

@@ -112,7 +112,7 @@ public function testLoginFail()
112112

113113
public function testLoginSuccessIsNotProcessedWhenTokenDoesNotContainUserInterfaceImplementation()
114114
{
115-
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => true));
115+
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => true, 'path' => null, 'domain' => null));
116116
$request = new Request;
117117
$response = new Response;
118118
$account = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
@@ -135,7 +135,7 @@ public function testLoginSuccessIsNotProcessedWhenTokenDoesNotContainUserInterfa
135135

136136
public function testLoginSuccessIsNotProcessedWhenRememberMeIsNotRequested()
137137
{ A93C
138-
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => false, 'remember_me_parameter' => 'foo'));
138+
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => false, 'remember_me_parameter' => 'foo', 'path' => null, 'domain' => null));
139139
$request = new Request;
140140
$response = new Response;
141141
$account = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
@@ -159,7 +159,7 @@ public function testLoginSuccessIsNotProcessedWhenRememberMeIsNotRequested()
159159

160160
public function testLoginSuccessWhenRememberMeAlwaysIsTrue()
161161
{
162-
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => true));
162+
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => true, 'path' => null, 'domain' => null));
163163
$request = new Request;
164164
$response = new Response;
165165
$account = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
@@ -184,7 +184,7 @@ public function testLoginSuccessWhenRememberMeAlwaysIsTrue()
184184
*/
185185
public function testLoginSuccessWhenRememberMeParameterWithPathIsPositive($value)
186186
{
187-
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => false, 'remember_me_parameter' => 'foo[bar]'));
187+
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => false, 'remember_me_parameter' => 'foo[bar]', 'path' => null, 'domain' => null));
188188

189189
$request = new Request;
190190
$request->request->set('foo', array('bar' => $value));
@@ -211,7 +211,7 @@ public function testLoginSuccessWhenRememberMeParameterWithPathIsPositive($value
211211
*/
212212
public function testLoginSuccessWhenRememberMeParameterIsPositive($value)
213213
{
214-
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => false, 'remember_me_parameter' => 'foo'));
214+
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => false, 'remember_me_parameter' => 'foo', 'path' => null, 'domain' => null));
215215

216216
$request = new Request;
217217
$request->request->set('foo', $value);

src/Symfony/Component/Security/Tests/Http/RememberMe/TokenBasedRememberMeServicesTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -179,7 +179,7 @@ public function testLoginFail()
179179

180180
public function testLoginSuccessIgnoresTokensWhichDoNotContainAnUserInterfaceImplementation()
181181
{
182-
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => true));
182+
$service = $this->getService(null, array('name' => 'foo', 'always_remember_me' => true, 'path' => null, 'domain' => null));
183183
$request = new Request;
184184
$response = new Response;
185185
$token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');

0 commit comments

Comments
 (0)
0