Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security] Session concurrency control #12810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

[Security] Session concurrency control #12810

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f609a6a
New session expiration firewall to block access for idle sessions.
ajgarlag Dec 2, 2014
749cc23
CS fixes suggested by fabbot
ajgarlag Dec 2, 2014
4c52391
Adds session concurrency support
ajgarlag Dec 2, 2014
b2ad97e
Adds garbage collection capability
ajgarlag Dec 2, 2014
3d707e7
Event listener to collect session registry garbage on kernel terminate
ajgarlag Dec 2, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions 25 src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ public function getConfigTreeBuilder()
$this->addFirewallsSection($rootNode, $this->factories);
$this->addAccessControlSection($rootNode);
$this->addRoleHierarchySection($rootNode);
$this->addSessionRegistrySection($rootNode);

return $tb;
}
Expand Down Expand Up @@ -288,6 +289,21 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
->end()
->end()
->arrayNode('session_expiration')
->canBeUnset()
->children()
->integerNode('max_idle_time')->defaultValue(ini_get('session.gc_maxlifetime'))->min(1)->end()
->scalarNode('expiration_url')->defaultNull()->end()
->end()
->end()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does only belong to your other pull request, doesn't it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this PR includes the other PR first two changesets.

->arrayNode('session_concurrency')
->canBeUnset()
->children()
->integerNode('max_sessions')->min(0)->end()
->booleanNode('error_if_maximum_exceeded')->defaultTrue()->end()
->booleanNode('register_new_sessions')->defaultNull()->end()
->end()
->end()
;

$abstractFactoryKeys = array();
Expand Down Expand Up @@ -430,4 +446,13 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
->end()
;
}

private function addSessionRegistrySection(ArrayNodeDefinition $rootNode)
{
$rootNode
->children()
->scalarNode('session_registry_storage')->defaultValue('security.session_registry.storage.file')->end()
->end()
;
}
}
9 changes: 8 additions & 1 deletion 9 src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AbstractFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ protected function createEntryPoint($container, $id, $config, $defaultEntryPoint
*
* @param array $config
*
* @return bool Whether a possibly configured RememberMeServices should be set for this listener
* @return bool Whether a possibly configured RememberMeServices should be set for this listener
*/
protected function isRememberMeAware($config)
{
Expand All @@ -157,6 +157,13 @@ protected function createListener($container, $id, $config, $userProvider)
{
$listenerId = $this->getListenerId();
$listener = new DefinitionDecorator($listenerId);

//Check for custom session authentication strategy
$sessionAuthenticationStrategyId = 'security.authentication.session_strategy.'.$id;
if ($container->hasDefinition($sessionAuthenticationStrategyId) || $container->hasAlias($sessionAuthenticationStrategyId)) {
$listener->replaceArgument(2, new Reference($sessionAuthenticationStrategyId));
}

$listener->replaceArgument(4, $id);
$listener->replaceArgument(5, new Reference($this->createAuthenticationSuccessHandler($container, $id, $config)));
$listener->replaceArgument(6, new Reference($this->createAuthenticationFailureHandler($container, $id, $config)));
Expand Down
80 changes: 80 additions & 0 deletions 80 src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,10 @@ public function load(array $configs, ContainerBuilder $container)
$container->removeDefinition('security.access.expression_voter');
}

if (isset($config['session_registry_storage'])) {
$this->loadSessionRegistry($config, $container, $loader);
}

// set some global scalars
$container->setParameter('security.access.denied_url', $config['access_denied_url']);
$container->setParameter('security.authentication.manager.erase_credentials', $config['erase_credentials']);
Expand Down Expand Up @@ -361,6 +365,11 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
$listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider));
}

// Session expiration listener
if (isset($firewall['session_expiration'])) {
$listeners[] = new Reference($this->createSessionExpirationListener($container, $id, $firewall));
}

// Access listener
$listeners[] = new Reference('security.access_listener');

Expand Down Expand Up @@ -394,6 +403,10 @@ private function createAuthenticationListeners($container, $id, $firewall, &$aut
$hasListeners = false;
$defaultEntryPoint = null;

if (isset($firewall['session_concurrency'])) {
$this->createConcurrentSessionAuthenticationStrategy($container, $id, $firewall);
}

foreach ($this->listenerPositions as $position) {
foreach ($this->factories[$position] as $factory) {
$key = str_replace('-', '_', $factory->getKey());
Expand Down Expand Up @@ -611,6 +624,17 @@ private function createSwitchUserListener($container, $id, $config, $defaultProv
return $switchUserListenerId;
}

private function createSessionExpirationListener($container, $id, $config)
{
$expiredSessionListenerId = 'security.authentication.sessionexpiration_listener.'.$id;
$listener = $container->setDefinition($expiredSessionListenerId, new DefinitionDecorator('security.authentication.sessionexpiration_listener'));

$listener->replaceArgument(2, $config['session_expiration']['max_idle_time']);
$listener->replaceArgument(3, $config['session_expiration']['expiration_url']);

return $expiredSessionListenerId;
}

private function createExpression($container, $expression)
{
if (isset($this->expressions[$id = 'security.expression.'.sha1($expression)])) {
Expand Down Expand Up @@ -697,4 +721,60 @@ private function getExpressionLanguage()

return $this->expressionLanguage;
}

private function loadSessionRegistry($config, ContainerBuilder $container, $loader)
{
$container->setAlias('security.session_registry.storage', $config['session_registry_storage']);
$loader->load('security_session_concurrency.xml');
}

private function createConcurrentSessionAuthenticationStrategy($container, $id, $config)
{
$authenticationStrategies = array();
$sessionStrategyId = 'security.authentication.session_strategy.'.$id;

if (isset($config['session_concurrency']['max_sessions']) && $config['session_concurrency']['max_sessions'] > 0) {
$concurrentSessionControlStrategyId = 'security.authentication.session_strategy.concurrent_control.'.$id;
$container
->setDefinition(
$concurrentSessionControlStrategyId, new DefinitionDecorator(
'security.authentication.session_strategy.concurrent_control'
)
)
->replaceArgument(1, $config['session_concurrency']['max_sessions'])
->replaceArgument(2, $config['session_concurrency']['error_if_maximum_exceeded'])
;

$authenticationStrategies[] = new Reference($concurrentSessionControlStrategyId);
}

$fixationSessionStrategyId = 'security.authentication.session_strategy.fixation.'.$id;
$container->setAlias(
$fixationSessionStrategyId, 'security.authentication.session_strategy'
);
$authenticationStrategies[] = new Reference($fixationSessionStrategyId);

if (
(!isset($config['register_new_sessions']) && $config['stateless'] == false) || (isset($config['register_new_sessions']) && $config['register_new_sessions'] == true)
) {
$registerSessionStrategyId = 'security.authentication.session_strategy.register.'.$id;
$container->setDefinition(
$registerSessionStrategyId, new DefinitionDecorator(
'security.authentication.session_strategy.register'
)
);
$authenticationStrategies[] = new Reference($registerSessionStrategyId);
}

$container
->setDefinition(
$sessionStrategyId, new DefinitionDecorator(
'security.authentication.session_strategy.composite'
)
)
->replaceArgument(0, $authenticationStrategies)
;

return $sessionStrategyId;
}
}
55 changes: 55 additions & 0 deletions 55 src/Symfony/Bundle/SecurityBundle/EventListener/SessionRegistryGarbageCollectorListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\SecurityBundle\EventListener;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\PostResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Http\Session\SessionRegistry;

/**
* Clear session information from registry for idle sessions
*
* @author Antonio J. García Lagar <aj@garcialagar.es>
*/
class SessionRegistryGarbageCollectorListener implements EventSubscriberInterface
{
/**
* @var SessionRegistry
*/
private $sessionRegistry;
private $maxLifetime;
private $probability;
private $divisor;

public function __construct(SessionRegistry $sessionRegistry, $maxLifetime = 1, $probability = null, $divisor = null)
{
$this->sessionRegistry = $sessionRegistry;
$this->maxLifetime = $maxLifetime ?: ini_get('session.gc_maxlifetime');
$this->probability = $probability ?: ini_get('session.gc_probability');
$this->divisor = $divisor ?: ini_get('session.gc_divisor');
}

public function onKernelTerminate(PostResponseEvent $event)
{
if ($this->probability / $this->divisor > lcg_value() || true) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

|| true ???

$this->sessionRegistry->collectGarbage($this->maxLifetime);
}
}

public static function getSubscribedEvents()
{
return array(
KernelEvents::TERMINATE => array(array('onKernelTerminate')),
);
}
}
12 changes: 12 additions & 0 deletions 12 src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@

<parameter key="security.authentication.switchuser_listener.class">Symfony\Component\Security\Http\Firewall\SwitchUserListener</parameter>

<parameter key="security.authentication.sessionexpiration_listener.class">Symfony\Component\Security\Http\Firewall\SessionExpirationListener</parameter>

<parameter key="security.logout_listener.class">Symfony\Component\Security\Http\Firewall\LogoutListener</parameter>
<parameter key="security.logout.handler.session.class">Symfony\Component\Security\Http\Logout\SessionLogoutHandler</parameter>
<parameter key="security.logout.handler.cookie_clearing.class">Symfony\Component\Security\Http\Logout\CookieClearingLogoutHandler</parameter>
Expand Down Expand Up @@ -257,6 +259,16 @@
<argument type="service" id="event_dispatcher" on-invalid="null"/>
</service>

<service id="security.authentication.sessionexpiration_listener" class="%security.authentication.sessionexpiration_listener.class%" public="false" abstract="true">
<tag name="monolog.logger" channel="security" />
<argument type="service" id="security.token_storage" />
<argument type="service" id="security.http_utils" />
<argument /> <!-- Max idle time -->
<argument /> <!-- Target-URL -->
<argument type="service" id="security.session_registry" on-invalid="null" />
<argument type="service" id="logger" on-invalid="null" />
</service>

<service id="security.access_listener" class="%security.access_listener.class%" public="false">
<tag name="monolog.logger" channel="security" />
<argument type="service" id="security.context" />
Expand Down
46 changes: 46 additions & 0 deletions 46 src/Symfony/Bundle/SecurityBundle/Resources/config/security_session_concurrency.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>

<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">

<parameters>
<parameter key="security.authentication.session_strategy.concurrent_control.class">Symfony\Component\Security\Http\Session\ConcurrentSessionControlAuthenticationStrategy</parameter>
<parameter key="security.authentication.session_strategy.register.class">Symfony\Component\Security\Http\Session\RegisterSessionAuthenticationStrategy</parameter>
<parameter key="security.authentication.session_strategy.composite.class">Symfony\Component\Security\Http\Session\CompositeSessionAuthenticationStrategy</parameter>
<parameter key="security.session_registry.class">Symfony\Component\Security\Http\Session\SessionRegistry</parameter>
<parameter key="security.session_registry.garbage_collector.class">Symfony\Bundle\SecurityBundle\EventListener\SessionRegistryGarbageCollectorListener</parameter>
<parameter key="security.session_registry.storage.file.class">Symfony\Component\Security\Http\Session\FileSessionRegistryStorage</parameter>
</parameters>

<services>

<service id="security.authentication.session_strategy.concurrent_control" class="%security.authentication.session_strategy.concurrent_control.class%" abstract="true" public="false">
<argument type="service" id="security.session_registry" />
<argument /> <!-- maximum sessions -->
<argument /> <!-- error if maximum exceeded -->
</service>

<service id="security.authentication.session_strategy.register" class="%security.authentication.session_strategy.register.class%" abstract="true" public="false">
<argument type="service" id="security.session_registry" />
</service>

<service id="security.authentication.session_strategy.composite" class="%security.authentication.session_strategy.composite.class%" abstract="true" public="false">
<argument type="collection" /> <!-- delegate Strategies -->
</service>

<service id="security.session_registry" class="%security.session_registry.class%" public="true">
<argument type="service" id="security.session_registry.storage" />
</service>

<service id="security.session_registry.storage.file" class="%security.session_registry.storage.file.class%" public="false">
<argument>%kernel.cache_dir%/session_registry</argument>
</service>

<service id="security.session_registry.garbage_collector" class="%security.session_registry.garbage_collector.class%" public="true">
<tag name="kernel.event_subscriber" />
<argument type="service" id="security.session_registry" />
</service>

</services>
</container>
81 changes: 81 additions & 0 deletions 81 src/Symfony/Bundle/SecurityBundle/Tests/Functional/SessionConcurrencyTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\SecurityBundle\Tests\Functional;

/**
* @author Antonio J. García Lagar <aj@garcialagar.es>
* @group functional
*/
class SessionConcurrencyTest extends WebTestCase
{
public function testLoginWorksWhenConcurrentSessionsLesserThanMaximun()
{
$client = $this->createClient(array('test_case' => 'SessionExpiration', 'root_config' => 'session_concurrency.yml'));
$form = $client->request('GET', '/login')->selectButton('login')->form();
$form['_username'] = 'antonio';
$form['_password'] = 'secret';
$client->submit($form);

$this->assertRedirect($client->getResponse(), '/profile');
}

public function testLoginFailsWhenConcurrentSessionsGreaterOrEqualThanMaximun()
{
$client1 = $this->createClient(array('test_case' => 'SessionExpiration', 'root_config' => 'session_concurrency.yml'));
$client1->insulate();
$form1 = $client1->request('GET', '/login')->selectButton('login')->form();
$form1['_username'] = 'antonio';
$form1['_password'] = 'secret';
$client1->submit($form1);

$client2 = $this->createClient(array('test_case' => 'SessionExpiration', 'root_config' => 'session_concurrency.yml'));
$client2->insulate();
$form2 = $client2->request('GET', '/login')->selectButton('login')->form();
$form2['_username'] = 'antonio';
$form2['_password'] = 'secret';
$client2->submit($form2);

$this->assertRedirect($client2->getResponse(), '/login');
}

public function testOldSessionExpiresConcurrentSessionsGreaterOrEqualThanMaximun()
{
$client1 = $this->createClient(array('test_case' => 'SessionExpiration', 'root_config' => 'session_concurrency_expiration.yml'));
$form1 = $client1->request('GET', '/login')->selectButton('login')->form();
$form1['_username'] = 'antonio';
$form1['_password'] = 'secret';
$client1->submit($form1);
$this->assertRedirect($client1->getResponse(), '/profile');

$client2 = $this->createClient(array('test_case' => 'SessionExpiration', 'root_config' => 'session_concurrency_expiration.yml'));
$client2->insulate();
$form2 = $client2->request('GET', '/login')->selectButton('login')->form();
$form2['_username'] = 'antonio';
$form2['_password'] = 'secret';
$client2->submit($form2);
$this->assertRedirect($client2->getResponse(), '/profile');

$client1->request('GET', '/profile');
$this->assertEquals(200, $client1->getResponse()->getStatusCode());
$sessionRegistry = $client1->getContainer()->get('security.session_registry');
$session1Infomation = $sessionRegistry->getSessionInformation($client1->getRequest()->getSession()->getId());
sleep(1); //Waiting for the session to expire
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sleeps in tests are not funny.

$this->assertTrue($session1Infomation->isExpired());
}

protected function tearDown()
{
parent::tearDown();

$this->deleteTmpDir('SessionExpiration');
}
}
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.