Skip to content

Commit 076fd20

Browse files
nicolas-grekasnicolas-grekas
committed
[Security/Http] Remove CSRF tokens from storage on successful login
1 parent d2a6bf4 commit 076fd20

File tree

4 files changed

+9
-4
lines changed

4 files changed

+9
-4
lines changed

Resources/config/security.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,7 @@
6363

6464
<service id="security.authentication.session_strategy" class="Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy">
6565
<argument>%security.authentication.session_strategy.strategy%</argument>
66+
<argument type="service" id="security.csrf.token_storage" on-invalid="ignore" />
6667
</service>
6768
<service id="Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface" alias="security.authentication.session_strategy" />
6869

Tests/Functional/CsrfFormLoginTest.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,12 +19,15 @@ class CsrfFormLoginTest extends AbstractWebTestCase
1919
public function testFormLoginAndLogoutWithCsrfTokens($config)
2020
{
2121
$client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]);
22+
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
2223

2324
$form = $client->request('GET', '/login')->selectButton('login')->form();
2425
$form['user_login[username]'] = 'johannes';
2526
$form['user_login[password]'] = 'test';
2627
$client->submit($form);
2728

29+
$this->assertFalse(static::$container->get('security.csrf.token_storage')->hasToken('foo'));
30+
2831
$this->assertRedirect($client->getResponse(), '/profile');
2932

3033
$crawler = $client->followRedirect();
@@ -48,11 +51,14 @@ public function testFormLoginAndLogoutWithCsrfTokens($config)
4851
public function testFormLoginWithInvalidCsrfToken($config)
4952
{
5053
$client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]);
54+
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
5155

5256
$form = $client->request('GET', '/login')->selectButton('login')->form();
5357
$form['user_login[_token]'] = '';
5458
$client->submit($form);
5559

60+
$this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo'));
61+
5662
$this->assertRedirect($client->getResponse(), '/login');
5763

5864
$text = $client->followRedirect()->text(null, true);

Tests/Functional/LogoutTest.php

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,15 +36,13 @@ public function testSessionLessRememberMeLogout()
3636
public function testCsrfTokensAreClearedOnLogout()
3737
{
3838
$client = $this->createClient(['test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']);
39-
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
4039

4140
$client->request('POST', '/login', [
4241
'_username' => 'johannes',
4342
'_password' => 'test',
4443
]);
4544

46-
$this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo'));
47-
$this->assertSame('bar', static::$container->get('security.csrf.token_storage')->getToken('foo'));
45+
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
4846

4947
$client->request('GET', '/logout');
5048

composer.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
"symfony/security-core": "^4.4",
2626
"symfony/security-csrf": "^4.2|^5.0",
2727
"symfony/security-guard": "^4.2|^5.0",
28-
"symfony/security-http": "^4.4.5"
28+
"symfony/security-http": "^4.4.50"
2929
},
3030
"require-dev": {
3131
"doctrine/annotations": "^1.10.4",

0 commit comments

Comments
 (0)