#29 Leave clearing the session to SessionAuthenticationStrategy

Session is no longer cleared on authentication. Somenone who wants to clear the session should implement a SessionAuthenticationStrategy of his own, inject the TokenSotorageInterface from the service configuration and in the onAuthentication method clear the session when both $oldToken and $newToken are instanceof UsernamePasswordToken and usernames of both tokens are different.
metaclass-nl · Sep 19, 2017 · 813f7fa · 813f7fa
1 parent b62eb51
commit 813f7fa
Showing 1 changed file with 0 additions and 9 deletions.
diff --git a/Service/UsernamePasswordFormAuthenticationGuard.php b/Service/UsernamePasswordFormAuthenticationGuard.php
@@ -122,15 +122,6 @@ protected function attemptAuthentication(Request $request)
                     //authenticated! No need to hide timing
                     $this->governor->registerAuthenticationSuccess();
 
-                    //when the user goes to the login page without logging out or on reauthentication because of
-                    //an InsufficientAuthenticationException there may still be a UsernamePasswordToken
-                    $oldToken = $this->myTokenStorage->getToken();
-                    $oldUserName = $oldToken instanceof UsernamePasswordToken ? $oldToken->getUserName() : '';
-                    if ($newToken instanceof UsernamePasswordToken && trim($newToken->getUserName()) != trim($oldUserName)) {
-                        //user has changed without logout, clear session so that the data of the old user can not leak to the new user
-                        $request->getSession()->clear();
-                    }
-
                     return $newToken;
                } catch (AuthenticationException $e) {
                     if ($this->isClientResponsibleFor($e)) {