Skip to content

Commit 7f812e1

Browse files
Seb33300Seb33300
committed
[Security] Do not try to clear CSRF on stateless request
1 parent 93e8814 commit 7f812e1

File tree

2 files changed

+15
-2
lines changed

2 files changed

+15
-2
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterCsrfFeaturesPass.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ protected function registerLogoutHandler(ContainerBuilder $container): void
5858

5959
$container->register('security.logout.listener.csrf_token_clearing', CsrfTokenClearingLogoutListener::class)
6060
->addArgument(new Reference('security.csrf.token_storage'))
61+
->addArgument(new Reference('security.firewall.map'))
6162
->addTag('kernel.event_subscriber');
6263
}
6364
}

src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,12 @@
1111

1212
namespace Symfony\Component\Security\Http\EventListener;
1313

14+
use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
1415
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
1516
use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
1617
use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
1718
use Symfony\Component\Security\Http\Event\LogoutEvent;
19+
use Symfony\Component\Security\Http\FirewallMapInterface;
1820

1921
/**
2022
* @author Christian Flothmann <[email protected]>
@@ -24,15 +26,25 @@
2426
class CsrfTokenClearingLogoutListener implements EventSubscriberInterface
2527
{
2628
private ClearableTokenStorageInterface $csrfTokenStorage;
29+
private FirewallMapInterface $map;
2730

28-
public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)
31+
public function __construct(ClearableTokenStorageInterface $csrfTokenStorage, FirewallMapInterface $map)
2932
{
3033
$this->csrfTokenStorage = $csrfTokenStorage;
34+
$this->map = $map;
3135
}
3236

3337
public function onLogout(LogoutEvent $event): void
3438
{
35-
if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) {
39+
$request = $event->getRequest();
40+
41+
if (
42+
$this->csrfTokenStorage instanceof SessionTokenStorage
43+
&& (
44+
($this->map instanceof FirewallMap && $this->map->getFirewallConfig($request)->isStateless())
45+
|| !$request->hasPreviousSession()
46+
)
47+
) {
3648
return;
3749
}
3850

0 commit comments

Comments
 (0)