Skip to content

[WIP] [Security] Session concurrency control #12009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 16 commits into from
Closed

[WIP] [Security] Session concurrency control #12009

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
66ed331
Previous PR
ajgarlag Sep 23, 2014
90eba34
BC Concurrent Sessions Control
ajgarlag Sep 24, 2014
82c5f71
CS fix thanks to fabbot.io
ajgarlag Sep 24, 2014
5772a75
PHP Types fix thanks to fabbot.io
ajgarlag Sep 24, 2014
c6b1488
Depend on TokenStorageInterface instead of SecurityContextInterface
ajgarlag Sep 26, 2014
9c3aebb
Mark as private several methods and properties
ajgarlag Sep 26, 2014
2b5e2ed
Rename exceptionIfMaximunExceeded to errorIfMaximunExceeded to follow…
ajgarlag Sep 26, 2014
5e22c79
Remove the useless unique index for the primary key.
ajgarlag Sep 26, 2014
5664571
Control to avoid an error when the request has no session.
ajgarlag Sep 26, 2014
f458bd4
Fix phpdoc
ajgarlag Sep 26, 2014
f92286a
Several improvements and error fixes to DBAL related code.
ajgarlag Sep 26, 2014
52b7ba4
CS fix thanks to fabbot.io
ajgarlag Sep 26, 2014
4ca3a47
Remove aligned '=>' and '='
ajgarlag Nov 10, 2014
6224ba0
Set the max_sessions config option as integer.
ajgarlag Nov 10, 2014
81c01de
Makes the session registry service public.
ajgarlag Nov 10, 2014
c0edefd
Adds a new logout handler to removes the session information from ses…
ajgarlag Nov 11, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
CS fix thanks to fabbot.io
  • Loading branch information
@ajgarlag
ajgarlag committed Nov 10, 2014
commit 82c5f715f406e72958fb542c45f8794ddc464627
10 changes: 5 additions & 5 deletions src/Symfony/Bridge/Doctrine/Security/SessionRegistry/SessionRegistryStorage.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,19 +150,19 @@ private function getMergeSql()
{
switch ($this->connection->getDriver()->getName()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should rather be based on the DBAL platform than the DBAL driver name actually

case 'pdo_mysql':
return "INSERT INTO $this->table (session_id, username, last_request, expired) VALUES (:session_id, :username, :last_request, :expired) " .
return "INSERT INTO $this->table (session_id, username, last_request, expired) VALUES (:session_id, :username, :last_request, :expired) ".
"ON DUPLICATE KEY UPDATE username = VALUES(username), last_request = VALUES(last_request), expired = VALUES(expired)";
case 'pdo_oracle':
// DUAL is Oracle specific dummy table
return "MERGE INTO $this->table USING DUAL ON (session_id= :session_id) " .
"WHEN NOT MATCHED THEN INSERT (session_id, username, last_request, expired) VALUES (:session_id, :username, :last_request, :expired) " .
return "MERGE INTO $this->table USING DUAL ON (session_id= :session_id) ".
"WHEN NOT MATCHED THEN INSERT (session_id, username, last_request, expired) VALUES (:session_id, :username, :last_request, :expired) ".
"WHEN MATCHED THEN UPDATE SET username = :username, last_request = :last_request, expired = :expired";
case 'pdo_sqlsrv':
if (version_compare($this->connection->getWrappedConnection()->getAttribute(\PDO::ATTR_SERVER_VERSION), '10', '>=')) {
// MERGE is only available since SQL Server 2008 and must be terminated by semicolon
// It also requires HOLDLOCK according to http://weblogs.sqlteam.com/dang/archive/2009/01/31/UPSERT-Race-Condition-With-MERGE.aspx
return "MERGE INTO $this->table WITH (HOLDLOCK) USING (SELECT 1 AS dummy) AS src ON (session_id = :session_id) " .
"WHEN NOT MATCHED THEN INSERT (session_id, username, last_request, expired) VALUES (:session_id, :username, :last_request, :expired) " .
return "MERGE INTO $this->table WITH (HOLDLOCK) USING (SELECT 1 AS dummy) AS src ON (session_id = :session_id) ".
"WHEN NOT MATCHED THEN INSERT (session_id, username, last_request, expired) VALUES (:session_id, :username, :last_request, :expired) ".
"WHEN MATCHED THEN UPDATE SET username = :username, last_request = :last_request, expired = :expired;";
}
case 'pdo_sqlite':
Expand Down
39 changes: 13 additions & 26 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,7 @@ public function getConfigTreeBuilder()
->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
->end()
->end()
->end()
;
->end();

$this->addAclSection($rootNode);
$this->addEncodersSection($rootNode);
Expand All @@ -95,8 +94,7 @@ private function addSessionRegistrySection(ArrayNodeDefinition $rootNode)
->scalarNode('session_registry_storage')->end()
->end()
->end()
->end()
;
->end();
}

private function addAclSection(ArrayNodeDefinition $rootNode)
Expand Down Expand Up @@ -135,8 +133,7 @@ private function addAclSection(ArrayNodeDefinition $rootNode)
->end()
->end()
->end()
->end()
;
->end();
}

private function addRoleHierarchySection(ArrayNodeDefinition $rootNode)
Expand All @@ -156,8 +153,7 @@ private function addRoleHierarchySection(ArrayNodeDefinition $rootNode)
->prototype('scalar')->end()
->end()
->end()
->end()
;
->end();
}

private function addAccessControlSection(ArrayNodeDefinition $rootNode)
Expand Down Expand Up @@ -196,8 +192,7 @@ private function addAccessControlSection(ArrayNodeDefinition $rootNode)
->end()
->end()
->end()
->end()
;
->end();
}

private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $factories)
Expand All @@ -211,8 +206,7 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
->disallowNewKeysInSubsequentConfigs()
->useAttributeAsKey('name')
->prototype('array')
->children()
;
->children();

$firewallNodeBuilder
->scalarNode('pattern')->end()
Expand Down Expand Up @@ -311,16 +305,14 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
->booleanNode('error_if_maximum_exceeded')->defaultTrue()->end()
->scalarNode('expiration_url')->defaultValue('/')->end()
->end()
->end()
;
->end();

$abstractFactoryKeys = array();
foreach ($factories as $factoriesAtPosition) {
foreach ($factoriesAtPosition as $factory) {
$name = str_replace('-', '_', $factory->getKey());
$factoryNode = $firewallNodeBuilder->arrayNode($name)
->canBeUnset()
;
->canBeUnset();

if ($factory instanceof AbstractFactory) {
$abstractFactoryKeys[] = $name;
Expand Down Expand Up @@ -350,8 +342,7 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto

return $firewall;
})
->end()
;
->end();
}

private function addProvidersSection(ArrayNodeDefinition $rootNode)
Expand All @@ -375,8 +366,7 @@ private function addProvidersSection(ArrayNodeDefinition $rootNode)
->isRequired()
->requiresAtLeastOneElement()
->useAttributeAsKey('name')
->prototype('array')
;
->prototype('array');

$providerNodeBuilder
->children()
Expand All @@ -393,8 +383,7 @@ private function addProvidersSection(ArrayNodeDefinition $rootNode)
->end()
->end()
->end()
->end()
;
->end();

foreach ($this->userProviderFactories as $factory) {
$name = str_replace('-', '_', $factory->getKey());
Expand All @@ -411,8 +400,7 @@ private function addProvidersSection(ArrayNodeDefinition $rootNode)
->validate()
->ifTrue(function ($v) {return count($v) === 0;})
->thenInvalid('You must set a provider definition for the provider.')
->end()
;
->end();
}

private function addEncodersSection(ArrayNodeDefinition $rootNode)
Expand Down Expand Up @@ -451,7 +439,6 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
->end()
->end()
->end()
->end()
;
->end();
}
}
6 changes: 2 additions & 4 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AbstractFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProviderI
if ($this->isRememberMeAware($config)) {
$container
->getDefinition($listenerId)
->addTag('security.remember_me_aware', array('id' => $id, 'provider' => $userProviderId))
;
->addTag('security.remember_me_aware', array('id' => $id, 'provider' => $userProviderId));
}

// create entry point if applicable (optional)
Expand All @@ -77,8 +76,7 @@ public function addConfiguration(NodeDefinition $node)
->scalarNode('provider')->end()
->booleanNode('remember_me')->defaultTrue()->end()
->scalarNode('success_handler')->end()
->scalarNode('failure_handler')->end()
;
->scalarNode('failure_handler')->end();

foreach (array_merge($this->options, $this->defaultSuccessHandlerOptions, $this->defaultFailureHandlerOptions) as $name => $default) {
if (is_bool($default)) {
Expand Down
39 changes: 14 additions & 25 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,7 @@ public function load(array $configs, ContainerBuilder $container)
->getDefinition('security.access.decision_manager')
->addArgument($config['access_decision_manager']['strategy'])
->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied'])
;
->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied']);
$container->setParameter('security.access.always_authenticate_before_granting', $config['always_authenticate_before_granting']);
$container->setParameter('security.authentication.hide_user_not_found', $config['hide_user_not_found']);

Expand Down Expand Up @@ -151,8 +150,7 @@ private function configureDbalAclProvider(array $config, ContainerBuilder $conta
'connection' => $config['connection'],
'event' => 'postGenerateSchema',
'lazy' => true,
))
;
));

$container->getDefinition('security.acl.cache.doctrine')->addArgument($config['cache']['prefix']);

Expand Down Expand Up @@ -264,8 +262,7 @@ private function createFirewalls($config, ContainerBuilder $container)
$context = $container->setDefinition($contextId, new DefinitionDecorator('security.firewall.context'));
$context
->replaceArgument(0, $listeners)
->replaceArgument(1, $exceptionListener)
;
->replaceArgument(1, $exceptionListener);
$map[$contextId] = $matcher;
}
$mapDef->replaceArgument(1, $map);
Expand All @@ -276,8 +273,7 @@ private function createFirewalls($config, ContainerBuilder $container)
}, array_values(array_unique($authenticationProviders)));
$container
->getDefinition('security.authentication.manager')
->replaceArgument(0, $authenticationProviders)
;
->replaceArgument(0, $authenticationProviders);
}

private function createFirewall(ContainerBuilder $container, $id, $firewall, &$authenticationProviders, $providerIds)
Expand Down Expand Up @@ -351,8 +347,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
$firewall['logout']['csrf_token_id'],
$firewall['logout']['csrf_parameter'],
isset($firewall['logout']['csrf_token_generator']) ? new Reference($firewall['logout']['csrf_token_generator']) : null,
))
;
));
}

// Authentication listeners
Expand Down Expand Up @@ -428,16 +423,14 @@ private function createAuthenticationListeners($container, $id, $firewall, &$aut
$listenerId = 'security.authentication.listener.anonymous.'.$id;
$container
->setDefinition($listenerId, new DefinitionDecorator('security.authentication.listener.anonymous'))
->replaceArgument(1, $firewall['anonymous']['key'])
;
->replaceArgument(1, $firewall['anonymous']['key']);

$listeners[] = new Reference($listenerId);

$providerId = 'security.authentication.provider.anonymous.'.$id;
$container
->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.anonymous'))
->replaceArgument(0, $firewall['anonymous']['key'])
;
->replaceArgument(0, $firewall['anonymous']['key']);

$authenticationProviders[] = $providerId;
$hasListeners = true;
Expand All @@ -459,8 +452,7 @@ private function createEncoders($encoders, ContainerBuilder $container)

$container
->getDefinition('security.encoder_factory.generic')
->setArguments(array($encoderMap))
;
->setArguments(array($encoderMap));
}

private function createEncoder($config, ContainerBuilder $container)
Expand Down Expand Up @@ -555,8 +547,7 @@ private function createUserDaoProvider($name, $provider, ContainerBuilder $conta

$container
->setDefinition($name, new DefinitionDecorator('security.user.provider.chain'))
->addArgument($providers)
;
->addArgument($providers);

return $name;
}
Expand All @@ -566,8 +557,7 @@ private function createUserDaoProvider($name, $provider, ContainerBuilder $conta
$container
->setDefinition($name, new DefinitionDecorator('security.user.provider.entity'))
->addArgument($provider['entity']['class'])
->addArgument($provider['entity']['property'])
;
->addArgument($provider['entity']['property']);

return $name;
}
Expand All @@ -579,8 +569,7 @@ private function createUserDaoProvider($name, $provider, ContainerBuilder $conta

$container
->setDefinition($userId, new DefinitionDecorator('security.user.provider.in_memory.user'))
->setArguments(array($username, (string) $user['password'], $user['roles']))
;
->setArguments(array($username, (string) $user['password'], $user['roles']));

$definition->addMethodCall('createUser', array(new Reference($userId)));
}
Expand Down Expand Up @@ -678,8 +667,7 @@ private function createRequestMatcher($container, $path = null, $host = null, $m
$container
->register($id, '%security.matcher.class%')
->setPublic(false)
->setArguments($arguments)
;
->setArguments($arguments);

return $this->requestMatchers[$id] = new Reference($id);
}
Expand Down Expand Up @@ -765,7 +753,7 @@ private function createConcurrentSessionAuthenticationStrategy($container, $id,
array(
new Reference($concurrentSessionControlStrategyId),
new Reference($fixationSessionStrategyId),
new Reference($registerSessionStrategyId)
new Reference($registerSessionStrategyId),
)
);
} else {
Expand All @@ -790,6 +778,7 @@ private function createLogoutSuccessHandler($container, $id, $config)
$logoutSuccessHandler->replaceArgument(1, $config['target']);
}
}

return $logoutSuccessHandlerId;
}

Expand Down
1 change: 0 additions & 1 deletion src/Symfony/Component/Security/Http/Firewall/ExpiredSessionListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ public function handle(GetResponseEvent $event)

if ($sessionInformation = $this->sessionRegistry->getSessionInformation($session->getId())) {
if ($sessionInformation->isExpired()) {

if (null !== $this->logger) {
$this->logger->info(sprintf("Logging out expired session for username '%s'", $token->getUsername()));
}
Expand Down
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy