Security Changes (Step 4) #1275
Conversation
aschempp
commented
Dec 29, 2017
•
aschempp
commented
- Correctly trigger the Symfony authentication entry point
- Bypass RememberMe Token update in header replay mode
- Update unit tests
|
@Toflar we currently have to bypass the remember token update because the response of the header replay is not processed. We should discuss whether the cookies of a header replay response should be processed and appended to the actual request. |
|
Checking for the I think that our approach with stopping event propagation in the preflight request is wrong (see terminal42/header-replay-bundle@7da33c3). It will prevent the response listeners from running, one of which adds the updated remember me cookie from the request attributes to the response. We should therefore discuss a different solution for #1009 and other related issues. Maybe we should not execute certain listeners upon HEAD requests? |
leofeyer
force-pushed
the
bugfix/security4
branch
from
45e9a8b
to
369c7c1
Compare
|
Thank you @aschempp. |
|
A new issue thereto has been created at #1280. |
ghost
mentioned this pull request
Description ----------- If you use Contao just as a bundle (unmanaged edition, see https://docs.contao.org/dev/getting-started/initial-setup/symfony-application/), you won't get redirected to the login screen if you access the preview url unauthenticated. As the preview is a feature of the core-bundle, this PR moves the according authentication listener from the manager-bundle to the core-bundle. Commits ------- f4e54950 Version 4.8.7 Description ----------- Fixes #1108 Commits ------- 447da7ff Fix the picture_default.html5 template (see #1108) bd35ffc3 Moved the PreviewAuthenticationListener to the core-bundle 2e4011d1 Fix namespace copy pasta 6f230b47 Merge branch '4.9' of github.com:bytehead/contao into bugfix/move-previewauthenticationlistener ff486ca8 Remove merge leftover 591fe9af Fix definition 64204688 Fix tests df7412bd Move extension test 1e30def0 CS fix
