-
-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUGFIX: Omit sessionless tokens from session #1663
Conversation
Without this fix, all security tokens – including those which are implementations of SessionlessTokenInterface – are serialized and added to the current session. This is a problem for sessionless tokens, which need to be updated on every request on not just once per session. Backport of #1662
Note: this needs careful upmerging from 5.1 -> 5.2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems resaonable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking care of backporting this!
Makes sense, I'll just go ahead and add some tests like done for #1662
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just added a mini tweak and a unit test. Can be merged IMO
Forgot to merge this first before doing upmerges, d'oh |
This removes the SessionlessTokenBugfixAspect from the codebase, as the underlying problem is fixed in Flow 4.3 and up with these PRs: - neos/flow-development-collection#1662 - neos/flow-development-collection#1663 As such, minimum Flow versions are raised to the following: - 4.3.18 - 5.0.17 - 5.1.11 - 5.2.7 - 5.3.3
Without this fix, all security tokens – including those which are
implementations of SessionlessTokenInterface – are serialized and
added to the current session. This is a problem for sessionless
tokens, which need to be updated on every request on not just once
per session.
Backport of #1662
Fixes: #1666