Permalink
Browse files

security #cve-2018-11385 Adding session authentication strategy to Gu…

…ard to avoid session fixation

* cve-2018-11385-2.8:
  Adding session authentication strategy to Guard to avoid session fixation
  • Loading branch information...
fabpot committed May 23, 2018
2 parents a1a5fa8 + f2e83ba commit fad1e1f2ea336e85c889feece9d0e23fbfcf777d
Showing with 13 additions and 0 deletions.
  1. +13 −0 src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
@@ -46,6 +46,7 @@ public function __construct(TokenStorageInterface $tokenStorage, EventDispatcher
*/
public function authenticateWithToken(TokenInterface $token, Request $request)
{
$this->migrateSession($request);
$this->tokenStorage->setToken($token);
if (null !== $this->dispatcher) {
@@ -127,4 +128,16 @@ public function handleAuthenticationFailure(AuthenticationException $authenticat
is_object($response) ? get_class($response) : gettype($response)
));
}
private function migrateSession(Request $request)
{
if (!$request->hasSession() || !$request->hasPreviousSession()) {
return;
}
// Destroying the old session is broken in php 5.4.0 - 5.4.10
// See https://bugs.php.net/63379
$destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
$request->getSession()->migrate($destroy);
}
}

0 comments on commit fad1e1f

Please sign in to comment.