[FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded #25508
Conversation
a7d011e to
226a2cc
Compare
|
Sorry for not picking the session before. If it's the behaviour we want (and I believe yes), I can help with changing the tests to reflect that @nicolas-grekas. |
|
@nicolas-grekas can you check why deps=high and deps=low are failing here ? |
b271567 to
54eef22
Compare
|
Travis is 💚 and AppVeyor's issues are not related. |
|
I really want to help fix the session issue... but this strikes me as weird:
Sorry to not be on board... I'm just not convinced yet... |
|
Without knowing the internals of this, I agree with Ryan that requiring security-csrf just to auto-enable sessions look like a hack. |
|
This is not the main purpose of this PR. It's main purpose is enabling CSRF protection when security-csrf is installed. |
@nicolas-grekas Ok - fair enough then - it makes more sense looking at it through that lense. But, what about this:
Is that not a problem? |
|
There is a discussion somewhere about discouraging to use this meta repo. Should remove the issue. |
@nicolas-grekas Hmm, ok... I'm going to be really annoying 😇. Should we remove the Another issue is that simply enabling the session means that it will store sessions into the handler_id to null and thus allows PHP to handle storage).
I don't see the smooth solution yet :/. |
|
I'm here to complicate things more :). The SecurityBundle has a dependency on all of |
|
OK, if this is not obvious, this PR should not be merged :) |
|
Reopening as I think this should be merged when #25699 will be. |
| @@ -449,7 +450,7 @@ private function addSessionSection(ArrayNodeDefinition $rootNode) | ||
| ->children() | ||
| ->arrayNode('session') | ||
| ->info('session configuration') | ||
| ->canBeEnabled() | ||
| ->{!class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class) ? 'canBeDisabled' : 'canBeEnabled'}() |
There was a problem hiding this comment.
I'm not sure how yet but I believe we could find a better way than relying on a Symfony\Component\Security class to enable the session automatically. Maybe a meta-package containing a Symfony\Meta\RequiresSession class? 🤷♂️
There was a problem hiding this comment.
I think we should not go in that direction. If enabling the session has no downside (with #25699), we should just enable them by default. But I wouldn't change the default in 3.4. Thus this PR, which is back in the game as is for me.
There was a problem hiding this comment.
Yes, you're right that it costs nothing. The interface_exists check is what is bothering me. Can we check on the SessionInterface interface directly instead of the CsrfTokenManagerInterface?
|
+1 to reopen! But I think the logic should be changed: we should never automatically (in the Configuration class) enable the session... because it will default to trying to write to a var/cache directory that may not exist (so the user will get an error). Could we auto-enable csrf if the code exists AND if the session was enabled by the user? |
54eef22 to
74025a1
Compare
here we are :) |
ec93d0f to
1ab06c0
Compare
1ab06c0 to
b2eaeff
Compare
53ba38a to
9e8231f
Compare
|
Just removed 2nd commit, which belongs to another PR. |
| @@ -229,6 +231,11 @@ public function load(array $configs, ContainerBuilder $container) | ||
| $this->registerRequestConfiguration($config['request'], $container, $loader); | ||
| } | ||
|
|
||
| if (null === $config['csrf_protection']['enabled']) { |
There was a problem hiding this comment.
Will this ever be reached? I would have expected the treatNullLike() call above to result in the value here being true.
There was a problem hiding this comment.
verified: yes! "defaultNull" applies after "treatNullLike" (which applies only to explicit user values)
There was a problem hiding this comment.
maybe we should add a test for this :)
There was a problem hiding this comment.
that's a test for the Config component :)
There was a problem hiding this comment.
I meant for different configs here, but it will become quite hard as the FullStack class is always available.
There was a problem hiding this comment.
treatNullLike is on the csrf_protection node, not on the enabled node.
…sion* are loaded (nicolas-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony/recipes#262 | License | MIT | Doc PR | - By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf". Yes, that's a side effect, but I think that's a nice one for 3.4/4.0. Of course, we might do better in 4.1, but for bug fix only releases, LGTM. Commits ------- 9e8231f [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
|
then we again have the issue that installing the CSRF component is not enough to be protected (as it requires enabling session manually first and nothing will warn you). People using forms might not even see that they don't have csrf protection enabled on them. |
|
in Flex, the session is enabled by default, so that this is less an issue |
By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf".
Yes, that's a side effect, but I think that's a nice one for 3.4/4.0.
Of course, we might do better in 4.1, but for bug fix only releases, LGTM.