Symfony version(s) affected

6.2.6

Description

After installing the fix for https://symfony.com/blog/cve-2022-24895-csrf-token-fixation, tests fail with the message "The CSRF token is invalid." I have only been able to reproduce this in tests, not (yet) when running the application in the browser.

@nicolas-grekas

How to reproduce

1. Install the Symfony demo project: https://github.com/symfony/demo
2. Run ./bin/phpunit. All tests should succeed.
3. Run composer update.
4. Run ./bin/phpunit. Multiple tests should fail. Add | grep CSRF and you will find the error message.

Possible Solution

I have no clue yet. My conclusion is that $this->csrfTokenStorage->clear(); is the cause of this bug (see 5909d74#diff-0ff1412624a79146c346925f2407eb4783b144da38ddb369ca30e49d046fab70R59), but removing this is obviously not an option as it is the fix for the CVE.

Additional Context

Docker one-liner:

docker run -it --rm composer bash -c " \
  composer create-project symfony/symfony-demo my_project; \
  cd my_project/; \
  ./bin/phpunit; \
  composer update; \
  ./bin/phpunit | head -n 6; \
  ./bin/phpunit | grep CSRF \
"