[Security] Mark the request as _stateless if the firewall used is stateless #40372

Seldaek · 2021-03-05T11:28:22Z

Description
As of 5.1, routes can be marked stateless which is a great addition. It occurred to me that if a firewall is configured to be stateless, the Request could also automatically receive the stateless attribute if it matches the firewall config.

Example

Security config example:

security:
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt|error)|css|images|js)/
            security: false

        api:
            host: ^api\.
            custom_authenticators:
                - App\Security\ApiTokenAuthenticator
            stateless: true

        main:
            form_login:
                provider: app_user_provider
                login_path: /login
                check_path: /user/login_check

In this case, requests to the api.example.org should get the _stateless attribute automatically, so we get warned if any API usage has a session started.

Using stateless routes in this case is not strictly possible as we have routes usable on both api and regular domain, and they do make use of sessions for user authentication on the regular domain, but not on the API one.

I for now fixed this with a request listener setting the attribute myself, but it would be nice if the framework took care of it.

The text was updated successfully, but these errors were encountered:

carsonbot · 2021-09-13T13:01:05Z

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

Seldaek · 2021-09-13T20:54:43Z

Still relevant, will see if I can work on a patch.

nicolas-grekas · 2022-02-23T16:10:34Z

Patch welcome indeeded :)

carsonbot · 2022-08-28T14:45:55Z

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

xabbuh · 2022-12-04T10:58:24Z

@fabpot #48044 would still be needed for this to be complete if I am not mistaken.

…s stateless (alamirault) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- [SecurityBundle] Set request stateless when firewall is stateless | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes  | Deprecations? | no  | Tickets | Fix #40372  | License | MIT | Doc PR | symfony/symfony-docs#...  Automatically add `_stateless` attribute to the request when firewall is stateless Commits ------- ce458c6 [SecurityBundle] Set request stateless when firewall is stateless

carsonbot added the Security label Mar 5, 2021

xabbuh added the Feature label Mar 12, 2021

carsonbot added the Stalled label Sep 13, 2021

carsonbot removed the Stalled label Sep 13, 2021

carsonbot added the Stalled label Aug 28, 2022

chalasr added Keep open and removed Stalled labels Aug 28, 2022

alamirault mentioned this issue Oct 29, 2022

[SecurityBundle] Set request stateless when firewall is stateless #48044

Merged

fabpot closed this as completed Dec 2, 2022

xabbuh reopened this Dec 4, 2022

fabpot closed this as completed Dec 18, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Mark the request as _stateless if the firewall used is stateless #40372

[Security] Mark the request as _stateless if the firewall used is stateless #40372

Seldaek commented Mar 5, 2021

carsonbot commented Sep 13, 2021

Seldaek commented Sep 13, 2021

nicolas-grekas commented Feb 23, 2022

carsonbot commented Aug 28, 2022

xabbuh commented Dec 4, 2022

[Security] Mark the request as _stateless if the firewall used is stateless #40372

[Security] Mark the request as _stateless if the firewall used is stateless #40372

Comments

Seldaek commented Mar 5, 2021

carsonbot commented Sep 13, 2021

Seldaek commented Sep 13, 2021

nicolas-grekas commented Feb 23, 2022

carsonbot commented Aug 28, 2022

xabbuh commented Dec 4, 2022