From 348bccbbca2bc1d84d7aae153ecc98a1553dea6f Mon Sep 17 00:00:00 2001 From: "H. Westphal" Date: Mon, 31 Oct 2011 21:27:23 +0100 Subject: [PATCH 1/2] Clear session cookie if user was deleted, is disabled or locked to prevent infinite redirect loops to the login path (fixes #1798). --- .../Security/Http/Firewall/ExceptionListener.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php index a36baf3cd4dd9..2a658e940aa66 100644 --- a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php @@ -16,6 +16,7 @@ use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface; use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; +use Symfony\Component\Security\Core\Exception\AccountStatusException; use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\Exception\AccessDeniedException; use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException; @@ -158,7 +159,15 @@ private function startAuthentication(Request $request, AuthenticationException $ $this->setTargetPath($request); - return $this->authenticationEntryPoint->start($request, $authException); + $response = $this->authenticationEntryPoint->start($request, $authException); + + if ($authException instanceof AccountStatusException && $response instanceof Response) { + // clear the session cookie to prevent infinite redirect loops + $cookieParams = session_get_cookie_params(); + $response->headers->clearCookie(session_name(), $cookieParams['path'], $cookieParams['domain']); + } + + return $response; } protected function setTargetPath(Request $request) From f9befb634811b9ba9fd41ae449c39283131f079e Mon Sep 17 00:00:00 2001 From: "H. Westphal" Date: Tue, 1 Nov 2011 11:58:03 +0100 Subject: [PATCH 2/2] Remove only the security token instead of the session cookie. --- .../Security/Http/Firewall/ExceptionListener.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php index 2a658e940aa66..1535b9b57d178 100644 --- a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php @@ -15,6 +15,7 @@ use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface; use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface; +use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; use Symfony\Component\Security\Core\Exception\AccountStatusException; use Symfony\Component\Security\Core\Exception\AuthenticationException; @@ -159,15 +160,13 @@ private function startAuthentication(Request $request, AuthenticationException $ $this->setTargetPath($request); - $response = $this->authenticationEntryPoint->start($request, $authException); - - if ($authException instanceof AccountStatusException && $response instanceof Response) { - // clear the session cookie to prevent infinite redirect loops - $cookieParams = session_get_cookie_params(); - $response->headers->clearCookie(session_name(), $cookieParams['path'], $cookieParams['domain']); + if ($authException instanceof AccountStatusException && ($token = $this->context->getToken()) instanceof UsernamePasswordToken) { + // remove the security token to prevent infinite redirect loops + $this->context->setToken(null); + $request->getSession()->remove('_security_' . $token->getProviderKey()); } - return $response; + return $this->authenticationEntryPoint->start($request, $authException); } protected function setTargetPath(Request $request)