From 813f7fa2a9a72fa382902e8e27808adbb5f8c3af Mon Sep 17 00:00:00 2001 From: henk Date: Tue, 19 Sep 2017 10:23:49 +0200 Subject: [PATCH] #29 Leave clearing the session to SessionAuthenticationStrategy Session is no longer cleared on authentication. Somenone who wants to clear the session should implement a SessionAuthenticationStrategy of his own, inject the TokenSotorageInterface from the service configuration and in the onAuthentication method clear the session when both $oldToken and $newToken are instanceof UsernamePasswordToken and usernames of both tokens are different. --- Service/UsernamePasswordFormAuthenticationGuard.php | 9 --------- 1 file changed, 9 deletions(-) diff --git a/Service/UsernamePasswordFormAuthenticationGuard.php b/Service/UsernamePasswordFormAuthenticationGuard.php index e2ee6a5..b78d7f1 100644 --- a/Service/UsernamePasswordFormAuthenticationGuard.php +++ b/Service/UsernamePasswordFormAuthenticationGuard.php @@ -122,15 +122,6 @@ protected function attemptAuthentication(Request $request) //authenticated! No need to hide timing $this->governor->registerAuthenticationSuccess(); - //when the user goes to the login page without logging out or on reauthentication because of - //an InsufficientAuthenticationException there may still be a UsernamePasswordToken - $oldToken = $this->myTokenStorage->getToken(); - $oldUserName = $oldToken instanceof UsernamePasswordToken ? $oldToken->getUserName() : ''; - if ($newToken instanceof UsernamePasswordToken && trim($newToken->getUserName()) != trim($oldUserName)) { - //user has changed without logout, clear session so that the data of the old user can not leak to the new user - $request->getSession()->clear(); - } - return $newToken; } catch (AuthenticationException $e) { if ($this->isClientResponsibleFor($e)) {