You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When FormProtectionComponent is enabled with Authentication plugin active,
calling AuthenticationComponent::setIdentity() in parallel requests (ajax, generated image or another tab) causes call of SessionAuthenticator::clearIdentity() and then Session::renew().
Result is that session id is changed, and main form submit will be failed with BadRequestException.
Not sure if its bug, but at least it will be doccumented here.
In my case I have to override FormProtectionComponent::_getSessionId() to resolve it.
CakePHP Version
5.0.4
PHP Version
8.1
The text was updated successfully, but these errors were encountered:
When FormProtectionComponent is enabled with Authentication plugin active,
calling AuthenticationComponent::setIdentity() in parallel requests (ajax, generated image or another tab) causes call of SessionAuthenticator::clearIdentity() and then Session::renew().
This is kind of expected, you're setting the identity which could be privilege escalation which should require a form protection tokens to be rotated. This is important as it prevents form reuse after logout or login.
Tried to wrap it by overriding FormProtectionComponent::_getSessionId() and return user id:
<?php
declare(strict_types=1);
namespace App\Controller\Component;
use Cake\Routing\Router;
class FormProtectionComponent extends \Cake\Controller\Component\FormProtectionComponent {
protected function _getSessionId(): string {
return static::getSessionId();
}
public static function getSessionId(): string {
$session = Router::getRequest()->getSession();
$session->start();
/** @var \Authentication\Identity|null $Itentity */
$Identity = $session->read('Auth');
if (null !== $Identity) {
return json_encode([$Identity->getIdentifier(), $Identity->get('is_deactivated')]);
}
return $session->id();
}
}
but found that hidden input value is generated by FormHelper::_getFormProtectorSessionId(), not by FormProtectionComponent. Methods code is copy-pasted, ->getSession()->id() in both methods.
Had to override also FormHelper::_getFormProtectorSessionId().
<?php
declare(strict_types=1);
namespace App\View\Helper;
class FormHelper extends \Cake\View\Helper\FormHelper {
protected function _getFormProtectorSessionId(): string {
return \App\Controller\Component\FormProtectionComponent::getSessionId();
}
}
Description
When
FormProtectionComponent
is enabled withAuthentication
plugin active,calling
AuthenticationComponent::setIdentity()
in parallel requests (ajax, generated image or another tab) causes call ofSessionAuthenticator::clearIdentity()
and thenSession::renew()
.Result is that session id is changed, and main form submit will be failed with
BadRequestException
.Not sure if its bug, but at least it will be doccumented here.
In my case I have to override
FormProtectionComponent::_getSessionId()
to resolve it.CakePHP Version
5.0.4
PHP Version
8.1
The text was updated successfully, but these errors were encountered: