symfony
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php
Lines changed: 15 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php
Lines changed: 15 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php
Lines changed: 16 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php
Lines changed: 14 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php
Lines changed: 16 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php
Lines changed: 4 additions & 1 deletion b/‎src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php
Lines changed: 4 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategyInterface.php
Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategyInterface.php
Lines changed: 2 additions & 2 deletions
@@ -82,6 +82,9 @@ final public function handle(GetResponseEvent $event)
             if (null !== $this->logger) {
                 $this->logger->info('Pre-authentication successful.', array('token' => (string) $token));
             }
+
+            $this->migrateSession($request);
+
             $this->tokenStorage->setToken($token);
 
             if (null !== $this->dispatcher) {
@@ -114,4 +117,16 @@ private function clearToken(AuthenticationException $exception)
      * @return array An array composed of the user and the credentials
      */
     abstract protected function getPreAuthenticatedData(Request $request);
+
+    private function migrateSession(Request $request)
+    {
+        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+            return;
+        }
+
+        // Destroying the old session is broken in php 5.4.0 - 5.4.10
+        // See https://bugs.php.net/63379
+        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
+        $request->getSession()->migrate($destroy);
+    }
 }
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Firewall;
 
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
@@ -70,6 +71,9 @@ public function handle(GetResponseEvent $event)
 
         try {
             $token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey));
+
+            $this->migrateSession($request);
+
             $this->tokenStorage->setToken($token);
         } catch (AuthenticationException $e) {
             $token = $this->tokenStorage->getToken();
@@ -88,4 +92,16 @@ public function handle(GetResponseEvent $event)
             $event->setResponse($this->authenticationEntryPoint->start($request, $e));
         }
     }
+
+    private function migrateSession(Request $request)
+    {
+        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+            return;
+        }
+
+        // Destroying the old session is broken in php 5.4.0 - 5.4.10
+        // See https://bugs.php.net/63379
+        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
+        $request->getSession()->migrate($destroy);
+    }
 }
@@ -118,6 +118,8 @@ public function handle(GetResponseEvent $event)
             $this->logger->info('Digest authentication successful.', array('username' => $digestAuth->getUsername(), 'received' => $digestAuth->getResponse()));
         }
 
+        $this->migrateSession($request);
+
         $this->tokenStorage->setToken(new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey));
     }
 
@@ -134,6 +136,18 @@ private function fail(GetResponseEvent $event, Request $request, AuthenticationE
 
         $event->setResponse($this->authenticationEntryPoint->start($request, $authException));
     }
+
+    private function migrateSession(Request $request)
+    {
+        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+            return;
+        }
+
+        // Destroying the old session is broken in php 5.4.0 - 5.4.10
+        // See https://bugs.php.net/63379
+        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
+        $request->getSession()->migrate($destroy);
+    }
 }
 
 class DigestData
 
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Firewall;
 
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
@@ -85,6 +86,9 @@ public function handle(GetResponseEvent $event)
             }
 
             $token = $this->authenticationManager->authenticate($token);
+
+            $this->migrateSession($request);
+
             $this->tokenStorage->setToken($token);
 
             if (null !== $this->dispatcher) {
@@ -119,4 +123,16 @@ public function handle(GetResponseEvent $event)
             }
         }
     }
+
+    private function migrateSession(Request $request)
+    {
+        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+            return;
+        }
+
+        // Destroying the old session is broken in php 5.4.0 - 5.4.10
+        // See https://bugs.php.net/63379
+        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
+        $request->getSession()->migrate($destroy);
+    }
 }
@@ -47,8 +47,11 @@ public function onAuthentication(Request $request, TokenInterface $token)
                 return;
 
             case self::MIGRATE:
+                // Note: this logic is duplicated in several authentication listeners
+                // until Symfony 5.0 due to a security fix with BC compat
+
                 // Destroying the old session is broken in php 5.4.0 - 5.4.10
-                // See php bug #63379
+                // See https://bugs.php.net/63379
                 $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
                 $request->getSession()->migrate($destroy);
 
 
@@ -27,8 +27,8 @@ interface SessionAuthenticationStrategyInterface
     /**
      * This performs any necessary changes to the session.
      *
-     * This method is called before the TokenStorage is populated with a
-     * Token, and only by classes inheriting from AbstractAuthenticationListener.
+     * This method should be called before the TokenStorage is populated with a
+     * Token. It should be used by authentication listeners when a session is used.
      */
     public function onAuthentication(Request $request, TokenInterface $token);
 }
Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,8 @@ public function handle(GetResponseEvent $event)`
`118`	`118`	`$this->logger->info('Digest authentication successful.', array('username' => $digestAuth->getUsername(), 'received' => $digestAuth->getResponse()));`
`119`	`119`	`}`
`120`	`120`
	`121`	`+ $this->migrateSession($request);`
	`122`	`+`
`121`	`123`	`$this->tokenStorage->setToken(new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey));`
`122`	`124`	`}`
`123`	`125`
`@@ -134,6 +136,18 @@ private function fail(GetResponseEvent $event, Request $request, AuthenticationE`
`134`	`136`
`135`	`137`	`$event->setResponse($this->authenticationEntryPoint->start($request, $authException));`
`136`	`138`	`}`
	`139`	`+`
	`140`	`+ private function migrateSession(Request $request)`
	`141`	`+ {`
	`142`	`+ if (!$request->hasSession() \|\| !$request->hasPreviousSession()) {`
	`143`	`+ return;`
	`144`	`+ }`
	`145`	`+`
	`146`	`+ // Destroying the old session is broken in php 5.4.0 - 5.4.10`
	`147`	`+ // See https://bugs.php.net/63379`
	`148`	`+ $destroy = \PHP_VERSION_ID < 50400 \|\| \PHP_VERSION_ID >= 50411;`
	`149`	`+ $request->getSession()->migrate($destroy);`
	`150`	`+ }`
`137`	`151`	`}`
`138`	`152`
`139`	`153`	`class DigestData`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\Security\Http\Firewall;`
`13`	`13`
	`14`	`+use Symfony\Component\HttpFoundation\Request;`
`14`	`15`	`use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;`
`15`	`16`	`use Psr\Log\LoggerInterface;`
`16`	`17`	`use Symfony\Component\HttpKernel\Event\GetResponseEvent;`
`@@ -85,6 +86,9 @@ public function handle(GetResponseEvent $event)`
`85`	`86`	`}`
`86`	`87`
`87`	`88`	`$token = $this->authenticationManager->authenticate($token);`
	`89`	`+`
	`90`	`+ $this->migrateSession($request);`
	`91`	`+`
`88`	`92`	`$this->tokenStorage->setToken($token);`
`89`	`93`
`90`	`94`	`if (null !== $this->dispatcher) {`
`@@ -119,4 +123,16 @@ public function handle(GetResponseEvent $event)`
`119`	`123`	`}`
`120`	`124`	`}`
`121`	`125`	`}`
	`126`	`+`
	`127`	`+ private function migrateSession(Request $request)`
	`128`	`+ {`
	`129`	`+ if (!$request->hasSession() \|\| !$request->hasPreviousSession()) {`
	`130`	`+ return;`
	`131`	`+ }`
	`132`	`+`
	`133`	`+ // Destroying the old session is broken in php 5.4.0 - 5.4.10`
	`134`	`+ // See https://bugs.php.net/63379`
	`135`	`+ $destroy = \PHP_VERSION_ID < 50400 \|\| \PHP_VERSION_ID >= 50411;`
	`136`	`+ $request->getSession()->migrate($destroy);`
	`137`	`+ }`
`122`	`138`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,8 @@ interface SessionAuthenticationStrategyInterface`
`27`	`27`	`/**`
`28`	`28`	`* This performs any necessary changes to the session.`
`29`	`29`	`*`
`30`		`- * This method is called before the TokenStorage is populated with a`
`31`		`- * Token, and only by classes inheriting from AbstractAuthenticationListener.`
	`30`	`+ * This method should be called before the TokenStorage is populated with a`
	`31`	`+ * Token. It should be used by authentication listeners when a session is used.`
`32`	`32`	`*/`
`33`	`33`	`public function onAuthentication(Request $request, TokenInterface $token);`
`34`	`34`	`}`