From d1aa32a2a1f61125a404bb259b87ed882bdb03a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20H=C3=A9lias?= Date: Tue, 21 Dec 2021 16:03:21 +0100 Subject: [PATCH] [Security/Http] Fix cookie clearing on logout --- .../CookieClearingLogoutListener.php | 2 +- .../CookieClearingLogoutListenerTest.php | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 src/Symfony/Component/Security/Http/Tests/EventListener/CookieClearingLogoutListenerTest.php diff --git a/src/Symfony/Component/Security/Http/EventListener/CookieClearingLogoutListener.php b/src/Symfony/Component/Security/Http/EventListener/CookieClearingLogoutListener.php index ecff5fd03078..d178b926c3ad 100644 --- a/src/Symfony/Component/Security/Http/EventListener/CookieClearingLogoutListener.php +++ b/src/Symfony/Component/Security/Http/EventListener/CookieClearingLogoutListener.php @@ -40,7 +40,7 @@ public function onLogout(LogoutEvent $event): void } foreach ($this->cookies as $cookieName => $cookieData) { - $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain']); + $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain'], $cookieData['secure'] ?? false, true, $cookieData['samesite'] ?? null); } } diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/CookieClearingLogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/CookieClearingLogoutListenerTest.php new file mode 100644 index 000000000000..f4c0e3d89b61 --- /dev/null +++ b/src/Symfony/Component/Security/Http/Tests/EventListener/CookieClearingLogoutListenerTest.php @@ -0,0 +1,56 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Http\Tests\EventListener; + +use PHPUnit\Framework\TestCase; +use Symfony\Component\HttpFoundation\Cookie; +use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpFoundation\Response; +use Symfony\Component\HttpFoundation\ResponseHeaderBag; +use Symfony\Component\Security\Http\Event\LogoutEvent; +use Symfony\Component\Security\Http\EventListener\CookieClearingLogoutListener; + +class CookieClearingLogoutListenerTest extends TestCase +{ + public function testLogout() + { + $response = new Response(); + $event = new LogoutEvent(new Request(), null); + $event->setResponse($response); + + $listener = new CookieClearingLogoutListener(['foo' => ['path' => '/foo', 'domain' => 'foo.foo', 'secure' => true, 'samesite' => Cookie::SAMESITE_STRICT], 'foo2' => ['path' => null, 'domain' => null]]); + + $cookies = $response->headers->getCookies(); + $this->assertCount(0, $cookies); + + $listener->onLogout($event); + + $cookies = $response->headers->getCookies(ResponseHeaderBag::COOKIES_ARRAY); + $this->assertCount(2, $cookies); + + $cookie = $cookies['foo.foo']['/foo']['foo']; + $this->assertEquals('foo', $cookie->getName()); + $this->assertEquals('/foo', $cookie->getPath()); + $this->assertEquals('foo.foo', $cookie->getDomain()); + $this->assertEquals(Cookie::SAMESITE_STRICT, $cookie->getSameSite()); + $this->assertTrue($cookie->isSecure()); + $this->assertTrue($cookie->isCleared()); + + $cookie = $cookies['']['/']['foo2']; + $this->assertStringStartsWith('foo2', $cookie->getName()); + $this->assertEquals('/', $cookie->getPath()); + $this->assertNull($cookie->getDomain()); + $this->assertNull($cookie->getSameSite()); + $this->assertFalse($cookie->isSecure()); + $this->assertTrue($cookie->isCleared()); + } +}