Skip to content

[Security] Use the session only if it is started when using SameOriginCsrfTokenManager #59146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 2, 2025
Merged

[Security] Use the session only if it is started when using SameOriginCsrfTokenManager #59146

merged 1 commit into from
Jan 2, 2025

Conversation

Crovitche-1623
Copy link

@Crovitche-1623 Crovitche-1623 commented Dec 9, 2024
edited
Loading

Q A
Branch? 7.2
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #59092
License MIT

If I understand well, the SameOriginCsrfTokenManager has been created to provide a stateless way of creating CSRF tokens and therefore allow pages with CSRF tokens to be cached.

When using Symfony\Component\Security\Csrf\SameOriginCsrfTokenManager, I think an additionnal check must be done to ensure that the session is started in addition to verifying that it exists. If not, the CSRF strategy used will be persisted everytime in the session and the stateless check (used with the #[Route] attribute parameter) will therefore never pass.

@carsonbot carsonbot added this to the 7.3 milestone Dec 9, 2024
@carsonbot
Copy link

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has a contribution guide which I suggest you to read.

In short:

  • Always add tests
  • Keep backward compatibility (see https://symfony.com/bc).
  • Bug fixes must be submitted against the lowest maintained branch where they apply (see https://symfony.com/releases)
  • Features and deprecations must be submitted against the 7.3 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

@carsonbot carsonbot changed the title [Security][Routing] Use the session only if it is started when using SameOriginCsrfTokenManager [Routing][Security] Use the session only if it is started when using SameOriginCsrfTokenManager Dec 9, 2024
@carsonbot
Copy link

Hey!

Thanks for your PR. You are targeting branch "7.3" but it seems your PR description refers to branch "7.2".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

@Crovitche-1623 Crovitche-1623 changed the base branch from 7.3 to 7.2 December 9, 2024 14:17
@Crovitche-1623
Copy link
Author

Maybe you could you take a look @nicolas-grekas ? 🙏

@nicolas-grekas nicolas-grekas modified the milestones: 7.3, 7.2 Jan 2, 2025
@carsonbot carsonbot changed the title [Routing][Security] Use the session only if it is started when using SameOriginCsrfTokenManager [Security] Use the session only if it is started when using SameOriginCsrfTokenManager Jan 2, 2025
nicolas-grekas
nicolas-grekas approved these changes Jan 2, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made some changes to also not trigger session usage tracking.

@Crovitche-1623
Copy link
Author

Thanks !

@fabpot
Copy link
Member

fabpot commented Jan 2, 2025

Thank you @Crovitche-1623.

@fabpot fabpot merged commit e36382c into symfony:7.2 Jan 2, 2025
10 of 11 checks passed
@Crovitche-1623 Crovitche-1623 deleted the fix_59092 branch January 2, 2025 20:48
@fabpot fabpot mentioned this pull request Jan 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
7.2
5 participants
@Crovitche-1623 @carsonbot @fabpot @nicolas-grekas @chalasr