Skip to content
This repository was archived by the owner on May 31, 2024. It is now read-only.

Commit 21689b9

Browse files
derrabusfabpot
derrabus
authored and
fabpot
committed
[Security] Don't destroy the session on buggy php releases.
1 parent c89020d commit 21689b9

File tree

2 files changed

+21
-1
lines changed

2 files changed

+21
-1
lines changed

Http/Session/SessionAuthenticationStrategy.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,10 @@ public function onAuthentication(Request $request, TokenInterface $token)
4747
return;
4848

4949
case self::MIGRATE:
50-
$request->getSession()->migrate(true);
50+
// Destroying the old session is broken in php 5.4.0 - 5.4.10
51+
// See php bug #63379
52+
$destroy = PHP_VERSION_ID < 50400 || PHP_VERSION_ID >= 50411;
53+
$request->getSession()->migrate($destroy);
5154

5255
return;
5356

Tests/Http/Session/SessionAuthenticationStrategyTest.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,13 +39,30 @@ public function testUnsupportedStrategy()
3939

4040
public function testSessionIsMigrated()
4141
{
42+
if (PHP_VERSION_ID >= 50400 && PHP_VERSION_ID < 50411) {
43+
$this->markTestSkipped('We cannot destroy the old session on PHP 5.4.0 - 5.4.10.');
44+
}
45+
4246
$session = $this->getMock('Symfony\Component\HttpFoundation\Session\SessionInterface');
4347
$session->expects($this->once())->method('migrate')->with($this->equalTo(true));
4448

4549
$strategy = new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE);
4650
$strategy->onAuthentication($this->getRequest($session), $this->getToken());
4751
}
4852

53+
public function testSessionIsMigratedWithPhp54Workaround()
54+
{
55+
if (PHP_VERSION_ID < 50400 || PHP_VERSION_ID >= 50411) {
56+
$this->markTestSkipped('This PHP version is not affected.');
57+
}
58+
59+
$session = $this->getMock('Symfony\Component\HttpFoundation\Session\SessionInterface');
60+
$session->expects($this->once())->method('migrate')->with($this->equalTo(false));
61+
62+
$strategy = new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE);
63+
$strategy->onAuthentication($this->getRequest($session), $this->getToken());
64+
}
65+
4966
public function testSessionIsInvalidated()
5067
{
5168
$session = $this->getMock('Symfony\Component\HttpFoundation\Session\SessionInterface');

0 commit comments

Comments
 (0)