[Security] Do not try to clear CSRF on stateless request #54742
Conversation
...mfony/Bundle/SecurityBundle/Tests/Functional/app/LogoutWithoutSessionInvalidation/config.yml
Show resolved
Hide resolved
|
|
||
| if ( | ||
| $this->csrfTokenStorage instanceof SessionTokenStorage | ||
| && ($request->attributes->getBoolean('_stateless') || !$request->hasPreviousSession()) |
There was a problem hiding this comment.
But why do we have a previous request in the first place in your situation?
If there is a previous session, we should clean the session even of this contradicts the stateless flag, or we might create a security issue, or?
There was a problem hiding this comment.
Our API and website are sharing the same domain.
API is accessible from domain.com/api/
The user can be authenticated on the website using session and also using JWT on the API on the same device.
When the user already has a session on the website and try to logout from the API, it results in this log message.
(On the API we use the logout endpoint to delete refresh tokens of the user in our db)
Because the logout listener is only checking if the request ha a previous session when all other listeners also check if the request is stateless.
There was a problem hiding this comment.
BTW, this is also how works others logout listeners.
If the user logout on a stateless request (and also has a session on the same device), his session is not cleared.
So we should also clear the CSRF token too on statleless requests.
In my application, I am getting many logs
Session was used while the request was declared stateless.triggered by users logout on our API.We should not try to clear CSRF on stateless sessions.
Similar to #51350