From e3a140d226dba20c2d3f4cf5692e001006629107 Mon Sep 17 00:00:00 2001 From: Robin Chalas Date: Sat, 13 May 2023 05:59:13 +0200 Subject: [PATCH] [Security] Skip clearing CSRF Token on stateless logout --- .../Http/EventListener/CsrfTokenClearingLogoutListener.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php b/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php index 032821a18b69e..ec00bc1d9be6e 100644 --- a/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php +++ b/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php @@ -13,6 +13,7 @@ use Symfony\Component\EventDispatcher\EventSubscriberInterface; use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface; +use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage; use Symfony\Component\Security\Http\Event\LogoutEvent; /** @@ -31,6 +32,10 @@ public function __construct(ClearableTokenStorageInterface $csrfTokenStorage) public function onLogout(LogoutEvent $event): void { + if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) { + return; + } + $this->csrfTokenStorage->clear(); } pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy