Permalink
Browse files

security #cve-2018-11385 migrating session for UsernamePasswordJsonAu…

…thenticationListener

* cve-2018-11385-3.4:
  migrating session for UsernamePasswordJsonAuthenticationListener
  • Loading branch information...
fabpot committed May 23, 2018
2 parents 73432d5 + 891ae6b commit 194caff28b56707ea98e746c6582c06acbb9bc3f
@@ -139,6 +139,8 @@ private function onSuccess(Request $request, TokenInterface $token)
$this->logger->info('User has been authenticated successfully.', array('username' => $token->getUsername()));
}
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->eventDispatcher) {
@@ -182,4 +184,15 @@ private function onFailure(Request $request, AuthenticationException $failed)
return $response;
}
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}

0 comments on commit 194caff

Please sign in to comment.