Skip to content

Commit

Permalink
[Security/Http] Remove CSRF tokens from storage on successful login
Browse files Browse the repository at this point in the history
  • Loading branch information
nicolas-grekas committed Jan 24, 2023
1 parent d2a6bf4 commit 076fd20
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 4 deletions.
1 change: 1 addition & 0 deletions Resources/config/security.xml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@

<service id="security.authentication.session_strategy" class="Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy">
<argument>%security.authentication.session_strategy.strategy%</argument>
<argument type="service" id="security.csrf.token_storage" on-invalid="ignore" />
</service>
<service id="Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface" alias="security.authentication.session_strategy" />

Expand Down
6 changes: 6 additions & 0 deletions Tests/Functional/CsrfFormLoginTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,15 @@ class CsrfFormLoginTest extends AbstractWebTestCase
public function testFormLoginAndLogoutWithCsrfTokens($config)
{
$client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]);
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');

$form = $client->request('GET', '/login')->selectButton('login')->form();
$form['user_login[username]'] = 'johannes';
$form['user_login[password]'] = 'test';
$client->submit($form);

$this->assertFalse(static::$container->get('security.csrf.token_storage')->hasToken('foo'));

$this->assertRedirect($client->getResponse(), '/profile');

$crawler = $client->followRedirect();
Expand All @@ -48,11 +51,14 @@ public function testFormLoginAndLogoutWithCsrfTokens($config)
public function testFormLoginWithInvalidCsrfToken($config)
{
$client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]);
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');

$form = $client->request('GET', '/login')->selectButton('login')->form();
$form['user_login[_token]'] = '';
$client->submit($form);

$this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo'));

$this->assertRedirect($client->getResponse(), '/login');

$text = $client->followRedirect()->text(null, true);
Expand Down
4 changes: 1 addition & 3 deletions Tests/Functional/LogoutTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,13 @@ public function testSessionLessRememberMeLogout()
public function testCsrfTokensAreClearedOnLogout()
{
$client = $this->createClient(['test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']);
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');

$client->request('POST', '/login', [
'_username' => 'johannes',
'_password' => 'test',
]);

$this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo'));
$this->assertSame('bar', static::$container->get('security.csrf.token_storage')->getToken('foo'));
static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');

$client->request('GET', '/logout');

Expand Down
2 changes: 1 addition & 1 deletion composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
"symfony/security-core": "^4.4",
"symfony/security-csrf": "^4.2|^5.0",
"symfony/security-guard": "^4.2|^5.0",
"symfony/security-http": "^4.4.5"
"symfony/security-http": "^4.4.50"
},
"require-dev": {
"doctrine/annotations": "^1.10.4",
Expand Down

0 comments on commit 076fd20

Please sign in to comment.