Description
Symfony version(s) affected
7.2.0
Description
When a #[Route] is marked as stateless: true and the SameOriginCsrfTokenManager.php configuration is enabled, the stateless check fails because the hasSession(true)condition passes and the code is executed when it shouldn't be. Therefore, the CSRF strategy is persisted in the session (I have a csrf-token with the value 1 instead of no value at all).
To make the stateless check pass, I had to modify the following code:
// line 208 of Symfony\Component\Security\Csrf\SameOriginCsrfTokenManager.php
public function persistStrategy(Request $request): void
{
if ($request->hasSession(true) && $request->attributes->has($this->cookieName)) {
$request->getSession()->set($this->cookieName, $request->attributes->get($this->cookieName));
}
}to
public function persistStrategy(Request $request): void
{
if ($request->hasSession(true) && $request->getSession()->isStarted() && $request->attributes->has($this->cookieName)) {
$request->getSession()->set($this->cookieName, $request->attributes->get($this->cookieName));
}
}@nicolas-grekas Maybe you wanted to check if the session was started instead of if a Session object exists ?
How to reproduce
Make a route marked as stateless. For instance:
#[Route(
path: [
'fr' => '/se_connecter',
'en' => '/login',
],
name: 'login',
stateless: true,
)]
public function login() {
// ...
}And configure the app to use stateless CSRF token (https://symfony.com/blog/new-in-symfony-7-2-stateless-csrf)
Possible Solution
Check if the session is started instead of the session exists to define if a value must be written in the session or not.
Additional Context
No response