Merge branch '3.4' into 4.4

* 3.4: [Http Foundation] Fix clear cookie samesite [Security] Check if firewall is stateless before checking for session/previous session [Form] Support customized intl php.ini settings [Security] Remember me: allow to set the samesite cookie flag [Debug] fix for PHP 7.3.16+/7.4.4+ [Validator] Backport translations Prevent warning in proc_open()
symfony · Mar 23, 2020 · 962860f · 962860f
2 parents 45017e8 + 06a4e09
commit 962860f
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 5 deletions.
diff --git a/Guard/GuardAuthenticatorHandler.php b/Guard/GuardAuthenticatorHandler.php
@@ -127,7 +127,7 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn
 
     private function migrateSession(Request $request, TokenInterface $token, ?string $providerKey)
     {
-        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession() || \in_array($providerKey, $this->statelessProviderKeys, true)) {
+        if (\in_array($providerKey, $this->statelessProviderKeys, true) || !$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 

diff --git a/Guard/Tests/GuardAuthenticatorHandlerTest.php b/Guard/Tests/GuardAuthenticatorHandlerTest.php
@@ -153,6 +153,25 @@ public function testSessionStrategyIsNotCalledWhenStateless()
         $handler->authenticateWithToken($this->token, $this->request, 'some_provider_key');
     }
 
+    /**
+     * @requires function \Symfony\Component\HttpFoundation\Request::setSessionFactory
+     */
+    public function testSessionIsNotInstantiatedOnStatelessFirewall()
+    {
+        $sessionFactory = $this->getMockBuilder(\stdClass::class)
+            ->setMethods(['__invoke'])
+            ->getMock();
+
+        $sessionFactory->expects($this->never())
+            ->method('__invoke');
+
+        $this->request->setSessionFactory($sessionFactory);
+
+        $handler = new GuardAuthenticatorHandler($this->tokenStorage, $this->dispatcher, ['stateless_provider_key']);
+        $handler->setSessionAuthenticationStrategy($this->sessionStrategy);
+        $handler->authenticateWithToken($this->token, $this->request, 'stateless_provider_key');
+    }
+
     protected function setUp(): void
     {
         $this->tokenStorage = $this->getMockBuilder(TokenStorageInterface::class)->getMock();

diff --git a/Http/RememberMe/AbstractRememberMeServices.php b/Http/RememberMe/AbstractRememberMeServices.php
@@ -39,6 +39,7 @@ abstract class AbstractRememberMeServices implements RememberMeServicesInterface
     protected $options = [
         'secure' => false,
         'httponly' => true,
+        'samesite' => null,
     ];
     private $providerKey;
     private $secret;
@@ -276,7 +277,7 @@ protected function cancelCookie(Request $request)
             $this->logger->debug('Clearing remember-me cookie.', ['name' => $this->options['name']]);
         }
 
-        $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'] ?? $request->isSecure(), $this->options['httponly'], false, $this->options['samesite'] ?? null));
+        $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'] ?? $request->isSecure(), $this->options['httponly'], false, $this->options['samesite']));
     }
 
     /**

diff --git a/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
@@ -86,7 +86,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
                 $this->options['secure'] ?? $request->isSecure(),
                 $this->options['httponly'],
                 false,
-                $this->options['samesite'] ?? null
+                $this->options['samesite']
             )
         );
 
@@ -121,7 +121,7 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
                 $this->options['secure'] ?? $request->isSecure(),
                 $this->options['httponly'],
                 false,
-                $this->options['samesite'] ?? null
+                $this->options['samesite']
             )
         );
     }

diff --git a/Http/RememberMe/TokenBasedRememberMeServices.php b/Http/RememberMe/TokenBasedRememberMeServices.php
@@ -83,7 +83,7 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
                 $this->options['secure'] ?? $request->isSecure(),
                 $this->options['httponly'],
                 false,
-                $this->options['samesite'] ?? null
+                $this->options['samesite']
             )
         );
     }