Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Delete old session on auth strategy migrate #13048

Merged
merged 1 commit into from Dec 20, 2014
Merged

[Security] Delete old session on auth strategy migrate #13048

merged 1 commit into from Dec 20, 2014

Conversation

xelaris
Copy link
Contributor

@xelaris xelaris commented Dec 20, 2014

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #13026
License MIT
Doc PR

As identified by @austinh in #13026 there are two sessions after authentication, since the previous session is migrated to a new one by session_regenerate_id. This PR ensures the old session is been deleted immediately on migration.
I can't see any drawbacks, but if the change would break BC, another approach would be to add a new strategy like switch to enable instant deletion of the old session.

@Tobion
Copy link
Member

Tobion commented Dec 20, 2014

👍

@fabpot
Copy link
Member

fabpot commented Dec 20, 2014

Thank you @xelaris.

@fabpot fabpot merged commit 5dd11e6 into symfony:2.3 Dec 20, 2014
fabpot added a commit that referenced this pull request Dec 20, 2014
@fabpot
bug #13048 [Security] Delete old session on auth strategy migrate (xe…
901d1de 
…laris)

This PR was merged into the 2.3 branch.

Discussion
----------

[Security] Delete old session on auth strategy migrate

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #13026
| License       | MIT
| Doc PR        |

As identified by @austinh in #13026 there are two sessions after authentication, since the previous session is migrated to a new one by ``session_regenerate_id``. This PR ensures the old session is been deleted immediately on migration.
I can't see any drawbacks, but if the change would break BC, another approach would be to add a new strategy like ``switch`` to enable instant deletion of the old session.

Commits
-------

5dd11e6 [Security] Delete old session on auth strategy migrate
@austinh
Copy link

austinh commented Dec 20, 2014

+1 thanks!!!

@Tobion Tobion mentioned this pull request Dec 20, 2014
Closed
@derrabus derrabus mentioned this pull request Jan 6, 2015
Closed
xelaris added a commit to xelaris/symfony that referenced this pull request Jan 6, 2015
@xelaris
[Security] reverted PR symfony#13048 due to issue symfony#13269
489d197
@xelaris xelaris mentioned this pull request Jan 6, 2015
Closed
@umulmrum umulmrum mentioned this pull request May 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@xelaris @Tobion @fabpot @austinh