[英]Symfony custom authentication provider log out on request overlap
Symfony 3.3.17和3.4.9再现了这个问题
我有一个自定义身份验证提供程序,它将遗留应用程序和Symfony应用程序连接在一起:
应用程序/配置/ security.yml
security:
providers:
zog:
id: app.zog_user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
logout:
path: /logout
target: /
guard:
authenticators:
- app.legacy_token_authenticator
- app.token_authenticator
entry_point: app.legacy_token_authenticator
SRC /的appbundle /安全/ LegacyTokenAuthenticator:
class LegacyTokenAuthenticator extends AbstractGuardAuthenticator
{
private $session;
private $router;
public function __construct(
RouterInterface $router,
SessionInterface $session,
$environment
) {
if (session_status() != PHP_SESSION_ACTIVE) {
if ($environment != 'test'){
session_start();
}
$session->start();
$this->setSession($session);
}
//if (!$session->isStarted()) {
//}
$this->router = $router;
}
/**
* @return mixed
*/
public function getSession()
{
return $this->session;
}
/**
* @param mixed $session
*/
public function setSession($session)
{
$this->session = $session;
}
/**
* Called on every request. Return whatever credentials you want,
* or null to stop authentication.
*/
public function getCredentials(Request $request)
{
$session = $this->getSession();
if (isset($_SESSION['ADMIN_logged_in']) && intval($_SESSION['ADMIN_logged_in'])){
return $_SESSION['ADMIN_logged_in'];
}
return;
}
public function getUser($credentials, UserProviderInterface $userProvider)
{
return $userProvider->loadUserByUserId($credentials);
}
public function checkCredentials($credentials, UserInterface $user)
{
return $user->getUsername() == $credentials;
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
return null;
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
return null;
}
/**
* Called when authentication is needed, but it's not sent
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$url = $this->router->generate('app_security_login');
return new RedirectResponse($url);
}
public function supportsRememberMe()
{
return false;
}
}
SRC /的appbundle /安全/ TokenAuthenticator:
class TokenAuthenticator extends AbstractGuardAuthenticator
{
/**
* @var \Symfony\Component\Routing\RouterInterface
*/
private $router;
/**
* Default message for authentication failure.
*
* @var string
*/
private $failMessage = 'Invalid credentials';
/**
* @var UserPasswordEncoderInterface
*/
private $passwordEncoder;
/**
* Creates a new instance of FormAuthenticator
*/
public function __construct(
RouterInterface $router,
SessionInterface $session,
$environment,
UserPasswordEncoderInterface $passwordEncoder
) {
$this->passwordEncoder = $passwordEncoder;
$this->router = $router;
if (session_status() != PHP_SESSION_ACTIVE) {
if ($environment != 'test') {
session_start();
}
$session->start();
}
}
/**
* {@inheritdoc}
*/
public function getCredentials(Request $request)
{
if ($request->getPathInfo() != '/security/login' || !$request->isMethod('POST')) {
return;
}
return ['username' => $request->request->get('username'), 'password' => $request->request->get('password')];
}
/**
* {@inheritdoc}
*/
public function getUser($credentials, UserProviderInterface $userProvider)
{
try {
return $userProvider->loadUserByUsername($credentials['username']);
} catch (UsernameNotFoundException $e) {
throw new CustomUserMessageAuthenticationException(
$e->getMessage() != '' ?$e->getMessage():$this->failMessage
);
}
}
/**
* {@inheritdoc}
*/
public function checkCredentials($credentials, UserInterface $user)
{
if ($this->passwordEncoder->isPasswordValid($user, $credentials['password'])) {
return true;
}
throw new CustomUserMessageAuthenticationException($this->failMessage);
}
/**
* {@inheritdoc}
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
$_SESSION['ADMIN_logged_in'] = $token->getUser()->getUsername();
if ($_SESSION['legacy_page_requested'] ?? '/'){
$url = $_SESSION['legacy_page_requested'] ?? '/';
}else{
$url = '/workflow_detailv2view.php';
}
unset($_SESSION['legacy_page_requested']);
return new RedirectResponse($url);
}
/**
* {@inheritdoc}
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
$url = $this->router->generate('app_security_login');
return new RedirectResponse($url);
}
/**
* {@inheritdoc}
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$url = $this->router->generate('app_security_login');
return new RedirectResponse($url);
}
/**
* {@inheritdoc}
*/
public function supportsRememberMe()
{
return false;
}
}
我发现这个系统工作正常。 但是,旧版页面中的新功能是运行2个重叠的Symfony异步应用程序请求。
在这种情况下,第一个请求显示2会话Cookie
Request URL: https://somedomain.com/system/staff_meeting/edit/1
Request Method: GET
Status Code: 200 OK
Remote Address: 222.154.225.22:443
Referrer Policy: no-referrer-when-downgrade
Cache-Control: max-age=0, must-revalidate, private
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Wed, 13 Jun 2018 21:57:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=15, max=90
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/7.0.20
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: PHPSESSID=tn7jhi5n2iu16le1os971vn024; path=/
Transfer-Encoding: chunked
X-Powered-By: PHP/7.0.20
并且第二个请求正在注销:
Request URL: https://somedomain.com/system/staff_meeting/edit/1
Request Method: GET
Status Code: 302 Found
Remote Address: 222.154.225.22:443
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: max-age=0, must-revalidate, private
Connection: Keep-Alive
Content-Length: 332
Content-Type: text/html; charset=UTF-8
Date: Thu, 14 Jun 2018 01:26:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=15, max=90
Location: /system/security/login
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/7.0.20
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Powered-By: PHP/7.0.20
我相信在访问我们用于将遗留系统和Symfony应用程序保存在一起的$ _SESSION变量时,这必须是一些竞争条件。
有任何想法如何解决这个问题?
对您的身份验证器进行以下更改,以使会话管理保持为symfony:
SRC /的appbundle /安全/ LegacyTokenAuthenticator:
public function __construct(RouterInterface $router) {
$this->router = $router;
}
public function getUser($credentials, UserProviderInterface $userProvider)
{
return $userProvider->loadUserByUsername($credentials);
}
public function getCredentials(Request $request)
{
$session = $request->getSession();
if ($session->has('ADMIN_logged_in') && intval($session->get('ADMIN_logged_in'))){
return $session->get('ADMIN_logged_in');
}
return null;
}
SRC /的appbundle /安全/ TokenAuthenticator:
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
$session = $request->getSession();
$session->set('ADMIN_logged_in', $token->getUser()->getUsername());
if ($session->has('legacy_page_requested')) {
$url = $session->get('legacy_page_requested') ?? '/';
$session->remove('legacy_page_requested');
} else {
$url = '/workflow_detailv2view.php';
}
return new RedirectResponse($url);
}
我能够通过设置来规避问题
security.yml
security:
session_fixation_strategy: none
但我不确定如何修复会话的重新生成和Cookie值的相应重命名。
我仍然渴望听到关于此的其他想法。
我不完全了解您的架构,但我认为最好不要在单个防火墙上安装两个Guard Authenticators。
您可以使Symfony会话成为遗留会话,如下所示:
# config.yml
framework:
session:
handler_id: session.handler.native_file
save_path: "/tmp/sessions/%kernel.environment%"
从那里,您使用$_SESSION
超全局(遗留代码经常使用)可以管理您拥有的任何遗留会话。
如果您想为旧系统和新系统设置不同的登录规则,我的建议是设置两个不同的防火墙。 您可以分配共享上下文,以便用户无需重新进行身份验证,只需在子类中添加一些其他规则即可。
避免调用session_start()或$ session-> start();! Symfony会自己做这件事。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.