Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Fixes session security issue

  • Loading branch information...
commit 51e78c93d712074b81993f851f0a427e75e6a0b3 1 parent 90ccac9
@ludofleury ludofleury authored
Showing with 6 additions and 0 deletions.
  1. +6 −0 Controller/AuthorizeController.php
6 Controller/AuthorizeController.php
@@ -46,6 +46,11 @@ public function authorizeAction(Request $request)
throw new AccessDeniedException('This user does not have access to this section.');
+ if (true === $this->container->get('session')->get('_fos_oauth_server.ensure_logout')) {
+ $this->container->get('session')->invalidate(600);
Lukx added a note

Does anyone still remember why this is 600? Why not just invalidate the session?
Background to my question: If the users closes the browser within those 600s, then the new session stays alive beyond browser sessions. @ludofleury

@stof Owner
stof added a note

see #35 for the PR adding it and the discussion around it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ $this->container->get('session')->set('_fos_oauth_server.ensure_logout', true);
+ }
$form = $this->container->get('fos_oauth_server.authorize.form');
$formHandler = $this->container->get('fos_oauth_server.authorize.form.handler');
@@ -84,6 +89,7 @@ public function authorizeAction(Request $request)
protected function processSuccess(UserInterface $user, AuthorizeFormHandler $formHandler)
if (true === $this->container->get('session')->get('_fos_oauth_server.ensure_logout')) {
+ $this->container->get('security.context')->setToken(null);

0 comments on commit 51e78c9

Please sign in to comment.
Something went wrong with that request. Please try again.