Skip to content

[Security] Deprecate using UsageTrackingTokenStorage outside the request-response cycle #40785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 13, 2021
Merged

[Security] Deprecate using UsageTrackingTokenStorage outside the request-response cycle #40785

merged 1 commit into from
Apr 13, 2021

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Apr 12, 2021

Q A
Branch? 5.x
Bug fix? yes
New feature? no
Deprecations? yes
Tickets Fix #40778
License MIT
Doc PR -

Currently, you get an "There is currently no session available" exception when using the security.token_storage service outside the main request-response cycle (e.g. in a kernel.terminate listener). This PR deprecates such usage and requires developers to update their definitions to explicitly use security.untracked_token_storage instead.

A different solution would be to silently disable tracking in these cases, but I think that might create some unnecessary technical debt.

@wouterj wouterj requested a review from jderusse April 12, 2021 16:35
@wouterj wouterj requested a review from chalasr as a code owner April 12, 2021 16:35
@wouterj wouterj changed the title [Security] Fix UsageTrackingTokenStorage outside the request cycle [Security] Deprecate using UsageTrackingTokenStorage outside the request-response cycle Apr 12, 2021
@wouterj wouterj force-pushed the issue-40778/usage-tracking-token-storage branch 2 times, most recently from 6ecdbf7 to 53aa87b Compare April 12, 2021 16:49
derrabus
derrabus reviewed Apr 12, 2021
View reviewed changes
UPGRADE-5.3.md Outdated
@@ -102,6 +102,9 @@ Routing
Security
--------

* Deprecate using `UsageTrackingTokenStorage` with tracking enabled without a main request. Use the untracking token
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Deprecate using `UsageTrackingTokenStorage` with tracking enabled without a main request. Use the untracking token
* Deprecate using `UsageTrackingTokenStorage` with tracking enabled without a main request. Use the untracked token

@fabpot fabpot force-pushed the issue-40778/usage-tracking-token-storage branch from 53aa87b to 7452476 Compare April 13, 2021 06:27
@fabpot
Copy link
Member

fabpot commented Apr 13, 2021

Thank you @wouterj.

@fabpot fabpot mentioned this pull request Apr 13, 2021
Closed
@fabpot fabpot merged commit 64cc548 into symfony:5.x Apr 13, 2021
@wouterj wouterj deleted the issue-40778/usage-tracking-token-storage branch April 13, 2021 07:08
@fabpot fabpot mentioned this pull request Apr 18, 2021
Merged
@chalasr chalasr mentioned this pull request Sep 28, 2021
Merged
@jolan78 jolan78 mentioned this pull request Aug 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derrabus derrabus derrabus left review comments

@fabpot fabpot fabpot approved these changes

@jderusse jderusse jderusse approved these changes

@chalasr chalasr Awaiting requested review from chalasr

Assignees
No one assigned
Labels
Bug Deprecation Security Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[HttpFoundation] Regression in using the session in kernel.terminate
5 participants
@wouterj @fabpot @jderusse @derrabus @carsonbot