[Security] Fixed persistence of AuthenticationException #15557
Conversation
|
|
||
| if ($exception instanceof UsernameNotFoundException) { | ||
| $session->set(SecurityContextInterface::LAST_USERNAME, $exception->getUsername()); | ||
| } |
There was a problem hiding this comment.
setting things in the session must not be done like this all the time:
- the request may not have a Session in it, which triggers a fatal error in your code
- if the firewall is configured as stateless, nothing should be set in the session even if there is a session
rpg600
changed the title
|
@rpg600 This would only fix the case where the refresh cannot find the user anymore when a I don't think this is what you intended to change. This will also alter the flow in the location where this method is called. Can you add tests to verify this is all working the way you want it to? |
|
@iltar This is exactly my use case, i faced this problem when i configured two providers having the same user class (but this is another issue) and i didn't know where it come from. It can be also useful for auth exceptions thrown by the user land. |
rpg600
force-pushed
the
fix-auth-error
branch
3 times, most recently
from
cc21c6c to
d6aebb1
Compare
|
What about #12465 instead? |
|
probably fixed by #21865 |
During the refresh of an authenticated user the potential AuthenticationException is ignored, now it is persisted in session just like after an authentication failure.