You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Request::hasPreviousSession check currently does not take the remember-me cookie into account. We show account buttons on our website, but only 5% of the users are logged in (eg. need a session). When users login and enable 'remember me', all is okay for that session, but in case of IS_AUTHENTICATED_REMEMBERED (eg. expired session) the proper buttons aren't shown.
Can be reproduced by removing the PHPSESSID cookie via the developer tools. I think that hasPreviousSession should also take IS_AUTHENTICATED_REMEMBERED into account. Was able to solve this by also checking the cookies for the remember me:
// Symfony\Component\HttpFoundation\RequestpublicfunctionhasPreviousSession()
{
// the check for $this->session avoids malicious users trying to fake a session cookie with proper namereturn$this->hasSession() && ($this->cookies->has($this->session->getName()) || $this->cookies->has('REMEMBERME'));
}
In case not taking the remember_me cookie into account is the right behavior, I think the usage of hasPreviousSession in the following docs should be discussed:
Problem
The
Request::hasPreviousSession
check currently does not take the remember-me cookie into account. We show account buttons on our website, but only 5% of the users are logged in (eg. need a session). When users login and enable 'remember me', all is okay for that session, but in case ofIS_AUTHENTICATED_REMEMBERED
(eg. expired session) the proper buttons aren't shown.Solution
Can be reproduced by removing the
PHPSESSID
cookie via the developer tools. I think thathasPreviousSession
should also takeIS_AUTHENTICATED_REMEMBERED
into account. Was able to solve this by also checking the cookies for the remember me:As
Request
is not aware of the configuredremember_me
cookie name this fix is not the right one.Discussion
In case not taking the
remember_me
cookie into account is the right behavior, I think the usage ofhasPreviousSession
in the following docs should be discussed:then should be
... what also solved the above use case.
The text was updated successfully, but these errors were encountered: