Symfony 3.3.17和3.4.9再现了这个问题
我有一个自定义身份验证提供程序,它将遗留应用程序和Symfony应用程序连接在一起:
应用/配置/ security.yml
security:
providers:
zog:
id: app.zog_user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
logout:
path: /logout
target: /
guard:
authenticators:
- app.legacy_token_authenticator
- app.token_authenticator
entry_point: app.legacy_token_authenticator
的src /的appbundle /安全性/ LegacyTokenAuthenticator:
class LegacyTokenAuthenticator extends AbstractGuardAuthenticator
{
private $session;
private $router;
public function __construct(
RouterInterface $router,
SessionInterface $session,
$environment
) {
if (session_status() != PHP_SESSION_ACTIVE) {
if ($environment != 'test'){
session_start();
}
$session->start();
$this->setSession($session);
}
//if (!$session->isStarted()) {
//}
$this->router = $router;
}
/**
* @return mixed
*/
public function getSession()
{
return $this->session;
}
/**
* @param mixed $session
*/
public function setSession($session)
{
$this->session = $session;
}
/**
* Called on every request. Return whatever credentials you want,
* or null to stop authentication.
*/
public function getCredentials(Request $request)
{
$session = $this->getSession();
if (isset($_SESSION['ADMIN_logged_in']) && intval($_SESSION['ADMIN_logged_in'])){
return $_SESSION['ADMIN_logged_in'];
}
return;
}
public function getUser($credentials, UserProviderInterface $userProvider)
{
return $userProvider->loadUserByUserId($credentials);
}
public function checkCredentials($credentials, UserInterface $user)
{
return $user->getUsername() == $credentials;
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
return null;
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
return null;
}
/**
* Called when authentication is needed, but it's not sent
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$url = $this->router->generate('app_security_login');
return new RedirectResponse($url);
}
public function supportsRememberMe()
{
return false;
}
}
的src /的appbundle /安全性/ TokenAuthenticator:
class TokenAuthenticator extends AbstractGuardAuthenticator
{
/**
* @var \Symfony\Component\Routing\RouterInterface
*/
private $router;
/**
* Default message for authentication failure.
*
* @var string
*/
private $failMessage = 'Invalid credentials';
/**
* @var UserPasswordEncoderInterface
*/
private $passwordEncoder;
/**
* Creates a new instance of FormAuthenticator
*/
public function __construct(
RouterInterface $router,
SessionInterface $session,
$environment,
UserPasswordEncoderInterface $passwordEncoder
) {
$this->passwordEncoder = $passwordEncoder;
$this->router = $router;
if (session_status() != PHP_SESSION_ACTIVE) {
if ($environment != 'test') {
session_start();
}
$session->start();
}
}
/**
* {@inheritdoc}
*/
public function getCredentials(Request $request)
{
if ($request->getPathInfo() != '/security/login' || !$request->isMethod('POST')) {
return;
}
return ['username' => $request->request->get('username'), 'password' => $request->request->get('password')];
}
/**
* {@inheritdoc}
*/
public function getUser($credentials, UserProviderInterface $userProvider)
{
try {
return $userProvider->loadUserByUsername($credentials['username']);
} catch (UsernameNotFoundException $e) {
throw new CustomUserMessageAuthenticationException(
$e->getMessage() != '' ?$e->getMessage():$this->failMessage
);
}
}
/**
* {@inheritdoc}
*/
public function checkCredentials($credentials, UserInterface $user)
{
if ($this->passwordEncoder->isPasswordValid($user, $credentials['password'])) {
return true;
}
throw new CustomUserMessageAuthenticationException($this->failMessage);
}
/**
* {@inheritdoc}
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
$_SESSION['ADMIN_logged_in'] = $token->getUser()->getUsername();
if ($_SESSION['legacy_page_requested'] ?? '/'){
$url = $_SESSION['legacy_page_requested'] ?? '/';
}else{
$url = '/workflow_detailv2view.php';
}
unset($_SESSION['legacy_page_requested']);
return new RedirectResponse($url);
}
/**
* {@inheritdoc}
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
$url = $this->router->generate('app_security_login');
return new RedirectResponse($url);
}
/**
* {@inheritdoc}
*/
public function start(Request $request, AuthenticationException $authException = null)
{
$url = $this->router->generate('app_security_login');
return new RedirectResponse($url);
}
/**
* {@inheritdoc}
*/
public function supportsRememberMe()
{
return false;
}
}
我发现这个系统工作正常。但是,旧版页面中的新功能是运行2个重叠的Symfony异步应用程序请求。
在这种情况下,第一个请求显示2个会话Cookie
Request URL: https://somedomain.com/system/staff_meeting/edit/1
Request Method: GET
Status Code: 200 OK
Remote Address: 222.154.225.22:443
Referrer Policy: no-referrer-when-downgrade
Cache-Control: max-age=0, must-revalidate, private
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Wed, 13 Jun 2018 21:57:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=15, max=90
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/7.0.20
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: PHPSESSID=tn7jhi5n2iu16le1os971vn024; path=/
Transfer-Encoding: chunked
X-Powered-By: PHP/7.0.20
并且正在注销第二个请求:
Request URL: https://somedomain.com/system/staff_meeting/edit/1
Request Method: GET
Status Code: 302 Found
Remote Address: 222.154.225.22:443
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: max-age=0, must-revalidate, private
Connection: Keep-Alive
Content-Length: 332
Content-Type: text/html; charset=UTF-8
Date: Thu, 14 Jun 2018 01:26:43 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=15, max=90
Location: /system/security/login
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7-04 OpenSSL/1.0.2k-fips PHP/7.0.20
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Powered-By: PHP/7.0.20
我认为在访问我们用于将遗留系统和Symfony应用程序保存在一起的$ _SESSION变量时,这必须是一些竞争条件。
有任何想法如何解决此问题?
答案 0 :(得分:2)
对身份验证器进行以下更改,以使会话管理保持为symfony:
src / AppBundle / Security / LegacyTokenAuthenticator:
public function __construct(RouterInterface $router) {
$this->router = $router;
}
public function getUser($credentials, UserProviderInterface $userProvider)
{
return $userProvider->loadUserByUsername($credentials);
}
public function getCredentials(Request $request)
{
$session = $request->getSession();
if ($session->has('ADMIN_logged_in') && intval($session->get('ADMIN_logged_in'))){
return $session->get('ADMIN_logged_in');
}
return null;
}
src / AppBundle / Security / TokenAuthenticator:
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
$session = $request->getSession();
$session->set('ADMIN_logged_in', $token->getUser()->getUsername());
if ($session->has('legacy_page_requested')) {
$url = $session->get('legacy_page_requested') ?? '/';
$session->remove('legacy_page_requested');
} else {
$url = '/workflow_detailv2view.php';
}
return new RedirectResponse($url);
}
答案 1 :(得分:1)
我能够通过设置来解决问题
security.yml
security:
session_fixation_strategy: none
但是我不确定如何修复会话的重新生成和相应的Cookie值重命名。
我仍然很想听听对此的其他想法。
答案 2 :(得分:1)
我不完全了解您的体系结构,但是我认为最好是在单个防火墙上没有两个Guard Authenticator。
您可以像这样将Symfony会话设置为旧会话:
# config.yml
framework:
session:
handler_id: session.handler.native_file
save_path: "/tmp/sessions/%kernel.environment%"
从那里,您可以使用$_SESSION超全局变量(旧版代码经常使用的旧版)来管理任何旧版会话。
如果您要对旧版和新系统使用不同的登录规则,我的建议是设置两个不同的防火墙。您可以分配一个shared context,以便用户无需重新认证,只需在子类中添加一些其他规则即可。
答案 3 :(得分:-1)
避免调用session_start()或$ session-> start();! Symfony会自己做这件事。