Skip to content

[Security] Skip clearing CSRF Token on stateless logout #50312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 19, 2023
Merged

[Security] Skip clearing CSRF Token on stateless logout #50312

merged 1 commit into from
May 19, 2023

Conversation

chalasr
Copy link
Member

@chalasr chalasr commented May 13, 2023

Q A
Branch? 6.2
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #50310
License MIT
Doc PR -

Not targeting 5.4 LTS as the bug is only breaking on 6.3 although it does exist on prior versions.

@chalasr chalasr requested a review from wouterj as a code owner May 13, 2023 04:03
@carsonbot carsonbot added this to the 6.2 milestone May 13, 2023
fabpot
fabpot reviewed May 13, 2023
View reviewed changes
src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php
@@ -31,6 +32,10 @@ public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)

public function onLogout(LogoutEvent $event): void
{
if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about fixing it in SessionTokenStorage instead?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using SessionTokenStorage without a session has been deprecated in 5.x:

symfony/src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php

Lines 95 to 108 in 8c637a5

public function clear()
{
$session = $this->getSession();
foreach (array_keys($session->all()) as $key) {
if (str_starts_with($key, $this->namespace.'/')) {
$session->remove($key);
}
}
}
/**
* @throws SessionNotFoundException
*/
private function getSession(): SessionInterface

Ideally this listener shouldn't be registered for stateless firewalls, problem is that it's not a per-firewall listener but a global one. We should probably change that in another (feature) PR.

@nicolas-grekas
Copy link
Member

Any way to test this?

@nicolas-grekas
Copy link
Member

Thank you @chalasr.

@nicolas-grekas nicolas-grekas merged commit 684fdd2 into symfony:6.2 May 19, 2023
@chalasr
Copy link
Member Author

chalasr commented May 19, 2023

Any way to test this?

Sure, at least something preventing regressions. I'll do!

@chalasr chalasr deleted the skip-csrfclear-stateless branch May 19, 2023 16:00
@chalasr chalasr mentioned this pull request May 19, 2023
Merged
chalasr added a commit that referenced this pull request May 19, 2023
@chalasr
minor #50369 [Security] Test CsrfTokenClearingLogoutListener with s…
457d56f 
…tateless logout (chalasr)

This PR was merged into the 6.2 branch.

Discussion
----------

[Security] Test `CsrfTokenClearingLogoutListener` with stateless logout

| Q             | A
| ------------- | ---
| Branch?       | 6.2
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Tickets       | #50312 (comment)
| License       | MIT
| Doc PR        | -

Commits
-------

099ba75 [Security] Test `CsrfTokenClearingLogoutListener` with stateless logout
This was referenced May 22, 2023
Merged
Merged
@renovate renovate bot mentioned this pull request Jul 17, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot left review comments

@wouterj wouterj Awaiting requested review from wouterj wouterj is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
6.2
Development

Successfully merging this pull request may close these issues.
4 participants
@chalasr @nicolas-grekas @fabpot @carsonbot