Symfony自定义身份验证提供程序根据请求重叠注销

Question

Symfony 3.3.17和3.4.9再现了这个问题

我有一个自定义身份验证提供程序，它将遗留应用程序和Symfony应用程序连接在一起：

应用程序/配置/ security.yml

security:
    providers:
        zog:
            id: app.zog_user_provider


    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:

            anonymous: ~
            logout:
                path:   /logout
                target: /
            guard:
                authenticators:
                    - app.legacy_token_authenticator
                    - app.token_authenticator
                entry_point: app.legacy_token_authenticator

SRC /的appbundle /安全/ LegacyTokenAuthenticator：

class LegacyTokenAuthenticator extends AbstractGuardAuthenticator
{
    private $session;

    private $router;

    public function __construct(
        RouterInterface $router,
        SessionInterface $session,
        $environment
    ) {
        if (session_status() != PHP_SESSION_ACTIVE) {
            if ($environment != 'test'){
                session_start();
            }
            $session->start();
            $this->setSession($session);
        }
        //if (!$session->isStarted()) {

        //}


        $this->router = $router;
    }


    /**
     * @return mixed
     */
    public function getSession()
    {
        return $this->session;
    }


    /**
     * @param mixed $session
     */
    public function setSession($session)
    {
        $this->session = $session;
    }


    /**
     * Called on every request. Return whatever credentials you want,
     * or null to stop authentication.
     */
    public function getCredentials(Request $request)
    {
        $session = $this->getSession();

        if (isset($_SESSION['ADMIN_logged_in']) && intval($_SESSION['ADMIN_logged_in'])){
            return $_SESSION['ADMIN_logged_in'];
        }
        return;
    }

    public function getUser($credentials, UserProviderInterface $userProvider)
    {
        return $userProvider->loadUserByUserId($credentials);
    }

    public function checkCredentials($credentials, UserInterface $user)
    {
        return $user->getUsername() == $credentials;
    }

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
    {
        return null;
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
    {
        return null;
    }

    /**
     * Called when authentication is needed, but it's not sent
     */
    public function start(Request $request, AuthenticationException $authException = null)
    {
        $url = $this->router->generate('app_security_login');
        return new RedirectResponse($url);
    }

    public function supportsRememberMe()
    {
        return false;
    }
}

SRC /的appbundle /安全/ TokenAuthenticator：

class TokenAuthenticator extends AbstractGuardAuthenticator
{

    /**
     * @var \Symfony\Component\Routing\RouterInterface
     */
    private $router;

    /**
     * Default message for authentication failure.
     *
     * @var string
     */
    private $failMessage = 'Invalid credentials';

    /**
     * @var UserPasswordEncoderInterface
     */
    private $passwordEncoder;

    /**
     * Creates a new instance of FormAuthenticator
     */
    public function __construct(
        RouterInterface $router,
        SessionInterface $session,
        $environment,
        UserPasswordEncoderInterface $passwordEncoder
    ) {
        $this->passwordEncoder = $passwordEncoder;
        $this->router = $router;

        if (session_status() != PHP_SESSION_ACTIVE) {
            if ($environment != 'test') {
                session_start();
            }
            $session->start();
        }

    }

    /**
     * {@inheritdoc}
     */
    public function getCredentials(Request $request)
    {
        if ($request->getPathInfo() != '/security/login' || !$request->isMethod('POST')) {
            return;
        }

        return ['username' => $request->request->get('username'), 'password' => $request->request->get('password')];
    }

    /**
     * {@inheritdoc}
     */
    public function getUser($credentials, UserProviderInterface $userProvider)
    {
        try {
            return $userProvider->loadUserByUsername($credentials['username']);
        } catch (UsernameNotFoundException $e) {
            throw new CustomUserMessageAuthenticationException(
                $e->getMessage() != '' ?$e->getMessage():$this->failMessage
            );
        }
    }

    /**
     * {@inheritdoc}
     */
    public function checkCredentials($credentials, UserInterface $user)
    {
        if ($this->passwordEncoder->isPasswordValid($user, $credentials['password'])) {
            return true;
        }
        throw new CustomUserMessageAuthenticationException($this->failMessage);
    }

    /**
     * {@inheritdoc}
     */
    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
    {
        $_SESSION['ADMIN_logged_in'] = $token->getUser()->getUsername();
        if ($_SESSION['legacy_page_requested'] ?? '/'){
            $url = $_SESSION['legacy_page_requested'] ?? '/';
        }else{
            $url = '/workflow_detailv2view.php';
        }
        unset($_SESSION['legacy_page_requested']);
        return new RedirectResponse($url);
    }

    /**
     * {@inheritdoc}
     */
    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
    {
        $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);

        $url = $this->router->generate('app_security_login');
        return new RedirectResponse($url);
    }

    /**
     * {@inheritdoc}
     */
    public function start(Request $request, AuthenticationException $authException = null)
    {
        $url = $this->router->generate('app_security_login');
        return new RedirectResponse($url);
    }

    /**
     * {@inheritdoc}
     */
    public function supportsRememberMe()
    {
        return false;
    }
}

我发现这个系统工作正常。 但是，旧版页面中的新功能是运行2个重叠的Symfony异步应用程序请求。

在这种情况下，第一个请求显示2会话Cookie

Request URL: https://somedomain.com/system/staff_meeting/edit/1
Request Method: GET
Status Code: 200 OK
Remote Address: 222.154.225.22:443
Referrer Policy: no-referrer-when-downgrade
Cache-Control: max-age=0, must-revalidate, private
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Wed, 13 Jun 2018 21:57:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=15, max=90
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/7.0.20
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: PHPSESSID=tn7jhi5n2iu16le1os971vn024; path=/
Transfer-Encoding: chunked
X-Powered-By: PHP/7.0.20

并且第二个请求正在注销：

Request URL: https://somedomain.com/system/staff_meeting/edit/1
Request Method: GET
Status Code: 302 Found
Remote Address: 222.154.225.22:443
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: max-age=0, must-revalidate, private
Connection: Keep-Alive
Content-Length: 332
Content-Type: text/html; charset=UTF-8
Date: Thu, 14 Jun 2018 01:26:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=15, max=90
Location: /system/security/login
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/7.0.20
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Powered-By: PHP/7.0.20

我相信在访问我们用于将遗留系统和Symfony应用程序保存在一起的$ _SESSION变量时，这必须是一些竞争条件。

有任何想法如何解决这个问题？

Answer 1

对您的身份验证器进行以下更改，以使会话管理保持为symfony：

SRC /的appbundle /安全/ LegacyTokenAuthenticator：

public function __construct(RouterInterface $router) {
    $this->router = $router;
}

public function getUser($credentials, UserProviderInterface $userProvider)
{
    return $userProvider->loadUserByUsername($credentials);
}

public function getCredentials(Request $request)
{
    $session = $request->getSession();
    if ($session->has('ADMIN_logged_in') && intval($session->get('ADMIN_logged_in'))){
        return $session->get('ADMIN_logged_in');
    }
    return null;
}

SRC /的appbundle /安全/ TokenAuthenticator：

public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
    $session = $request->getSession();
    $session->set('ADMIN_logged_in', $token->getUser()->getUsername());
    if ($session->has('legacy_page_requested')) {
        $url = $session->get('legacy_page_requested') ?? '/';
        $session->remove('legacy_page_requested');
    } else {
        $url = '/workflow_detailv2view.php';
    }
    return new RedirectResponse($url);
}

Answer 2

我能够通过设置来规避问题

security.yml

security:
    session_fixation_strategy: none

但我不确定如何修复会话的重新生成和Cookie值的相应重命名。

我仍然渴望听到关于此的其他想法。

Answer 3

我不完全了解您的架构，但我认为最好不要在单个防火墙上安装两个Guard Authenticators。

您可以使Symfony会话成为遗留会话，如下所示：

# config.yml
framework:
    session:
        handler_id: session.handler.native_file
        save_path: "/tmp/sessions/%kernel.environment%"

从那里，您使用$_SESSION超全局（遗留代码经常使用）可以管理您拥有的任何遗留会话。

如果您想为旧系统和新系统设置不同的登录规则，我的建议是设置两个不同的防火墙。 您可以分配共享上下文，以便用户无需重新进行身份验证，只需在子类中添加一些其他规则即可。

Answer 4

避免调用session_start（）或$ session-> start（）;! Symfony会自己做这件事。