Security::login() is supposed to authenticate a user into the firewall passed as the third argument, but when that firewall differs from the one currently handling the request the new token ends up persisted under the current firewall's session key (_security_<currentFirewall>) instead of the target firewall's (_security_<targetFirewall>).

Root cause: ContextListener::onKernelResponse() keys its session write off $request->attributes->get('_security_firewall_run'), which is the current firewall's session key. After Security::login() minted a token for a different firewall, that listener writes the foreign token to the current firewall's bucket — so the user looks logged in to the wrong firewall.

Fix: when the target firewall differs from the current one, write the new token directly to the target firewall's session key (_security_<context>, mirroring what KernelBrowser::loginUser() does) and remove the _security_firewall_run request attribute so the current firewall's ContextListener does not overwrite its own bucket with the foreign token. The current firewall's existing token is therefore untouched.

The fix is a no-op when Security::login() is called for the firewall already handling the request, when the target firewall is stateless, or when the target firewall config cannot be resolved (e.g. on legacy setups without the new security.firewall_config_locator locator) — preserving full BC.

A new security.firewall_config_locator ServiceLocator (keyed by firewall name) is wired in SecurityExtension and injected into security.helper, alongside the existing security.user_checker_locator pattern.

Reproduces with Tests/Functional/SecurityTest::testLoginBetweenStatefulFirewalls.

TDD verification

• RED (new test on 6.4 with Security.php/SecurityExtension.php/security.php reverted):

PHPUnit 9.6.21 by Sebastian Bergmann and contributors.

F                                                                   1 / 1 (100%)

There was 1 failure:

1) Symfony\Bundle\SecurityBundle\Tests\Functional\SecurityTest::testLoginBetweenStatefulFirewalls
Failed asserting that null is identical to Array &0 (
    'message' => 'Welcome back @chalasr'
).

FAILURES!
Tests: 1, Assertions: 1, Failures: 1.

• GREEN (new test with the fix applied):

PHPUnit 9.6.21 by Sebastian Bergmann and contributors.

.                                                                   1 / 1 (100%)

OK (1 test, 1 assertion)