Skip to content

Commit

Permalink
bug #40537 [Security] Handle properly 'auto' option for remember me c…
Browse files Browse the repository at this point in the history 
…ookie security (fliespl)

This PR was merged into the 4.4 branch.

Discussion
----------

[Security] Handle properly 'auto' option for remember me cookie security

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #40471
| License       | MIT
| Doc PR        | n/a

Manually setting remember_me cookie secure as auto is still is being set as secure one even if used over http.

This PR fixes this behaviour by converting auto to null prior setting it up for service.

Commits
-------

2bcf69c [Security] Handle properly 'auto' option for remember me cookie security
  • Loading branch information
@nicolas-grekas
nicolas-grekas committed Mar 23, 2021
2 parents 7eb4db6 + 2bcf69c commit 9a8e2c2
Show file tree
Hide file tree
Showing 5 changed files with 75 additions and 1 deletion.
7 changes: 6 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,12 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
}

// remember-me options
$rememberMeServices->replaceArgument(3, array_intersect_key($config, $this->options));
$mergedOptions = array_intersect_key($config, $this->options);
if ('auto' === $mergedOptions['secure']) {
$mergedOptions['secure'] = null;
}

$rememberMeServices->replaceArgument(3, $mergedOptions);

// attach to remember-me aware listeners
$userProviders = [];
Expand Down
33 changes: 33 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/Functional/RememberMeCookieTest.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<?php

namespace Symfony\Bundle\SecurityBundle\Tests\Functional;

use Symfony\Component\HttpFoundation\ResponseHeaderBag;

class RememberMeCookieTest extends AbstractWebTestCase
{
/** @dataProvider getSessionRememberMeSecureCookieFlagAutoHttpsMap */
public function testSessionRememberMeSecureCookieFlagAuto($https, $expectedSecureFlag)
{
$client = $this->createClient(['test_case' => 'RememberMeCookie', 'root_config' => 'config.yml']);

$client->request('POST', '/login', [
'_username' => 'test',
'_password' => 'test',
], [], [
'HTTPS' => (int) $https,
]);

$cookies = $client->getResponse()->headers->getCookies(ResponseHeaderBag::COOKIES_ARRAY);

$this->assertEquals($expectedSecureFlag, $cookies['']['/']['REMEMBERME']->isSecure());
}

public function getSessionRememberMeSecureCookieFlagAutoHttpsMap()
{
return [
[true, true],
[false, false],
];
}
}
9 changes: 9 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeCookie/bundles.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<?php

use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
use Symfony\Bundle\SecurityBundle\SecurityBundle;

return [
new FrameworkBundle(),
new SecurityBundle(),
];
25 changes: 25 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeCookie/config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
imports:
- { resource: ./../config/framework.yml }

security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext

providers:
in_memory:
memory:
users:
test: { password: test, roles: [ROLE_USER] }

firewalls:
default:
form_login:
check_path: login
remember_me: true
require_previous_session: false
remember_me:
always_remember_me: true
secret: key
secure: auto
logout: ~
anonymous: ~
2 changes: 2 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/RememberMeCookie/routing.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
login:
path: /login

0 comments on commit 9a8e2c2

Please sign in to comment.