Upgrading from Symfony 4.x to Symfony 5.x logouts all users #44676
Comments
|
That would indeed be an unfortunate blocker for an upgrade. I haven't investigated yet, but maybe we can change the serialization on 4.4 to not include the role class? Would you be able to work on a PR? |
|
I'm not sure if we should fix this in Symfony to be honest. As this is about the update from 4.4 to 5.x, people have been facing this for 2 years already. To my knowledge, this is the first report. Which indicates to me that it's not considered important for many users of Symfony. Even more, @ajgarlag already provided a working solution. So the issue can be fixed without changing anything in the code of an LTS version, which is due to stability reasons always better. |
Just an FYI that I also have faced this issue upgrading from one version to another.. can't remember which.. I think it was on a minor 5.x upgrade. But as you said it was not of a big importance and I haven't reported it.. I remember that it had to do something with changing the serialization changes.. not sure... |
For people using only LTS versions, it's rather 1 month. Changing how the token is serialized on 4.4 is likely to break someone else's code though, I agree we should not fix this. |
|
I recall that we've fixed similar problems in the past. And imho, apps should be able to upgrade from 4.4 to 5.4 without all active sessions being terminated. Maybe my idea was not the best one, but if we can do something to ease the upgrade here, I think we should. |
That was my first option: avoid roles serialization in
This is my case. I see two options here:
|
|
Thanks for fixing it. I didn't report it but I am sure many high traffic websites with long sessions had this issue. We always check sessions between symfony and PHP upgrades. For me I just copy&pasted Role class from Symfony4 to our codebase. We have 20+ different symfony apps who share the same session and we upgrade and deploy each app separately and session need to work between them |
Symfony version(s) affected
5.x
Description
The
Symfony\Component\Security\Core\Role\RoleandSymfony\Component\Security\Core\Role\SwitchUserRoleclasses were deprecated in Symfony 4.3 and removed in Symfony 5.0.But if you are using PHP sessions to keep users logged in and you are using any authentication token that extends the given
AbstractToken, the authenticated token is being serialized with references to old role classes in your Symfony 4 app.When you upgrade your app to Symfony 5, and the
ContextListenertries to unserialize the token, the old role classes no longer exist, causing an exception. The exception is caught by Symfony and your users will only see their sessions closed without any reason.How to reproduce
Execute:
git clone git@github.com:ajgarlag/sf4-to-sf5-bug.git cd sf4-to-sf5-bug git checkout origin/4.x composer install symfony serve -dNow visit http://localhost:8000/profile and fill the login form with:
userfoobarYou will be logged in. Keep this browser window open.
Execute:
Refresh the browser window. You will be logged out. If you explore the profile from redirect response you will see:
Possible Solution
I'm not sure how to fix it in Symfony code, so I've created a little package that will provide the missing classes: ajgl/sf4-to-sf5-role-unserialization
To see it in action try the following reproducer:
Execute:
git clone git@github.com:ajgarlag/sf4-to-sf5-bug.git cd sf4-to-sf5-bug git checkout origin/4.x composer install symfony serve -dNow visit http://localhost:8000/profile and fill the login form with:
userfoobarYou will be logged in. Keep this browser window open.
Execute:
Refresh the browser window. You will be logged in, and your the serialized token stored in session has been successfully upgraded to be Symfony 5 compatible.
Finally you can safely remove my package:
If you refresh the browser window, you will be logged in.
Additional Context
No response
The text was updated successfully, but these errors were encountered: