Clear session cookie if user was deleted, is disabled or locked to pr…

…event infinite redirect loops to the login path (fixes #1798).

src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php

@@ -16,6 +16,7 @@
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Core\Exception\AccountStatusException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
@@ -158,7 +159,15 @@ private function startAuthentication(Request $request, AuthenticationException $
 
         $this->setTargetPath($request);
 
-        return $this->authenticationEntryPoint->start($request, $authException);
+        $response = $this->authenticationEntryPoint->start($request, $authException);
+
+        if ($authException instanceof AccountStatusException && $response instanceof Response) {
+            // clear the session cookie to prevent infinite redirect loops
+            $cookieParams = session_get_cookie_params();
+            $response->headers->clearCookie(session_name(), $cookieParams['path'], $cookieParams['domain']);
+        }
+
+        return $response;
     }
 
     protected function setTargetPath(Request $request)