Commits on Jan 2, 2025

1. [Security] Use the session only if it is started when using `SameOrig… …

   …inCsrfTokenManager`

   

   Thibault G authored and nicolas-grekas committed Jan 2, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for e32d3c2
   • Browse repository at this point

   Copy the full SHA

   e32d3c2 View commit details

   Browse the repository at this point in the history

2. bug #59146 [Security] Use the session only if it is started when usin… …

   …g `SameOriginCsrfTokenManager` (Thibault G)
   
   This PR was merged into the 7.2 branch.
   
   Discussion
   ----------
   
   [Security] Use the session only if it is started when using `SameOriginCsrfTokenManager`
   
   | Q             | A
   | ------------- | ---
   | Branch?       | 7.2
   | Bug fix?      | yes
   | New feature?  | no
   | Deprecations? | no
   | Issues        | Fix #59092
   | License       | MIT
   
   If I understand well, the `SameOriginCsrfTokenManager` has been created to provide a stateless way of creating CSRF tokens and therefore allow pages with CSRF tokens to be cached.
   
   When using `Symfony\Component\Security\Csrf\SameOriginCsrfTokenManager`, I think an additionnal check must be done to ensure that the session is started in addition to verifying that it exists. If not, the CSRF strategy used will be persisted everytime in the session and the stateless check (used with the `#[Route]` attribute parameter) will therefore never pass.
   
   Commits
   -------
   
   1327e38db3a [Security] Use the session only if it is started when using `SameOriginCsrfTokenManager`

   

   fabpot committed Jan 2, 2025
   Configuration menu

   • View commit details
   • Copy full SHA for 2b4b0c4
   • Browse repository at this point

   Copy the full SHA

   2b4b0c4 View commit details

   Browse the repository at this point in the history