Description
Symfony version(s) affected: 4.4.2
Description
The remember_me cookie should get deleted after User is deauthenticated with EquatableInterface or normal hasUserChanged after changing roles of the user while in an active session. It works correctly when doing that to the username, password or isActive/banned flag as an example, but doesn't work if roles are changing. After changing the roles a second time it works. I thought this was fixed with #34671 but doesn't work for me with roles.
How to reproduce
- login with a user and the remember_me cookie active.
- change role of the user (with
EquatableInterfaceor normalhasUserChangedcovers role-changes too). - check if user is still logged in / in an active session.
Additional context
Here are the logs directly after I changed the role and reloaded the page. The remember-me cookie is being cleared but there's a new remember-me cookie detected afterwards and accepted again and session is still kinda active (is_fully_authenticated() returns false, is_authenticated() returns true).
[2020-01-02 13:08:48] security.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Guard\\Token\\PostAuthenticationGuardToken"} []
[2020-01-02 13:08:48] security.DEBUG: Cannot refresh token because user has changed. {"username":"Claicon","provider":"Symfony\\Bridge\\Doctrine\\Security\\User\\EntityUserProvider"} []
[2020-01-02 13:08:48] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2020-01-02 13:08:48] security.DEBUG: Clearing remember-me cookie. {"name":"REMEMBERME"} []
[2020-01-02 13:08:48] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"main","authenticators":1} []
[2020-01-02 13:08:48] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"main","authenticator":"App\\Security\\LoginFormAuthenticator"} []
[2020-01-02 13:08:48] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"main","authenticator":"App\\Security\\LoginFormAuthenticator"} []
[2020-01-02 13:08:48] security.DEBUG: Remember-me cookie detected. [] []
[2020-01-02 13:08:48] security.INFO: Remember-me cookie accepted. [] []
[2020-01-02 13:08:48] security.DEBUG: Populated the token storage with a remember-me token. [] []
[2020-01-02 13:08:48] security.DEBUG: Stored the security token in the session. {"key":"_security_main"} []
After changing the role AGAIN and reloading the page it seems to be fine, remember-me cookie is cleared and token populated with an anonymous Token (as it should be).
[2020-01-02 13:15:31] security.DEBUG: Read existing security token from the session. {"key":"_security_main","token_class":"Symfony\\Component\\Security\\Core\\Authentication\\Token\\RememberMeToken"} []
[2020-01-02 13:15:31] security.DEBUG: Cannot refresh token because user has changed. {"username":"Claicon","provider":"Symfony\\Bridge\\Doctrine\\Security\\User\\EntityUserProvider"} []
[2020-01-02 13:15:31] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2020-01-02 13:15:31] security.DEBUG: Clearing remember-me cookie. {"name":"REMEMBERME"} []
[2020-01-02 13:15:31] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"main","authenticators":1} []
[2020-01-02 13:15:31] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"main","authenticator":"App\\Security\\LoginFormAuthenticator"} []
[2020-01-02 13:15:31] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"main","authenticator":"App\\Security\\LoginFormAuthenticator"} []
[2020-01-02 13:15:31] security.INFO: Populated the TokenStorage with an anonymous Token. [] []