Php Symfony 5:用户登录后仍然匿名(有时)
我在Symfony 5.0.10中使用自定义身份验证程序和自定义用户提供程序 我的一些用户抱怨他们不能再登录了:事实上,在某些情况下,登录会成功(调用onAuthenticationSuccess),但用户仍然是匿名的。这会导致直接重定向到登录页面 这可以通过清除cookies(PHPSESSID)或使用专用导航窗口来解决。我无法解释这是如何进入匿名用户的登录逻辑的 如果你们能找到真正对我有帮助的问题,我已经花了好几个通宵在这上面了,但我想不出来 这是我的密码: 安全.yamlPhp Symfony 5:用户登录后仍然匿名(有时),php,symfony,authentication,symfony5,Php,Symfony,Authentication,Symfony5,我在Symfony 5.0.10中使用自定义身份验证程序和自定义用户提供程序 我的一些用户抱怨他们不能再登录了:事实上,在某些情况下,登录会成功(调用onAuthenticationSuccess),但用户仍然是匿名的。这会导致直接重定向到登录页面 这可以通过清除cookies(PHPSESSID)或使用专用导航窗口来解决。我无法解释这是如何进入匿名用户的登录逻辑的 如果你们能找到真正对我有帮助的问题,我已经花了好几个通宵在这上面了,但我想不出来 这是我的密码: 安全.yaml securit
security:
encoders:
App\Security\User:
algorithm: none
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
# used to reload user from session & other features (e.g. switch_user)
app_galette_user_provider:
id: App\Security\GaletteUserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: lazy
provider: app_galette_user_provider
logout:
path: app_logout
guard:
authenticators:
- App\Security\AppCustomAuthenticator
# where to redirect after logout
# target: app_any_route
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#firewalls-authentication
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
自定义验证器(AppCustomAuthenticator.php)
这可能是由symfony会话固定保护引起的。
默认情况下,它处于启用状态,并应在用户身份验证后刷新会话id。更多信息
检查PHPSESSID cookie是否在每次请求后刷新。
如果确实如此,则验证器会在每个用户请求上触发刷新会话id。
这会导致以下情况:如果用户在收到前一个请求的响应之前发出第二个请求,则其会话id将无效,并且未经验证
当然,您可以在安全配置中禁用此保护:
security:
session_fixation_strategy: none
但更好的方法是修复问题,不要在系统中创建漏洞。遗憾的是,我尝试使用会话固定策略更新配置:无,但没有任何更改。进一步检查后发现,即使在配置更新之前,PHPSESSID也没有在每个会话中更新。它应该是默认的Symfony行为吗?会话id应该只更新一次:在身份验证之后,而不是在每个请求上。所以你的验证器工作正常。那么问题就出在其他地方了。感谢您的输入,我将尝试在另一台服务器上进行测试,看看我的PHP配置是否有问题。。。
<?php
namespace App\Security;
use Symfony\Component\Security\Core\User\EquatableInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class User implements UserInterface, EquatableInterface
{
private $id;
private $email;
private $roles;
private $password;
private $nom;
private $prenom;
private $adresse;
private $adresse2;
private $cp;
private $ville;
private $pays;
private $tel;
private $gsm;
private $salt;
private $username;
public function isEqualTo(UserInterface $user)
{
if ($this->getUsername() !== $user->getUsername()) {
return false;
}
return true;
}
/**
* @return int
*/
public function getId(): int
{
return $this->id;
}
/**
* @param int $id
*/
public function setId($id): void
{
$this->id = $id;
}
/**
* @return string
*/
public function getNom(): string
{
return $this->nom;
}
/**
* @param string $nom
*/
public function setNom($nom): void
{
$this->nom = $nom;
}
/**
* @return string
*/
public function getPrenom(): string
{
return $this->prenom;
}
/**
* @param string $prenom
*/
public function setPrenom($prenom): void
{
$this->prenom = $prenom;
}
/**
* @return string
*/
public function getAdresse(): string
{
return $this->adresse;
}
/**
* @param string $adresse
*/
public function setAdresse($adresse): void
{
$this->adresse = $adresse;
}
/**
* @return string
*/
public function getAdresse2(): ?string
{
return $this->adresse2;
}
/**
* @param string $adresse2
*/
public function setAdresse2($adresse2): void
{
$this->adresse2 = $adresse2;
}
/**
* @return string
*/
public function getCp(): ?string
{
return $this->cp;
}
/**
* @param string $cp
*/
public function setCp($cp): void
{
$this->cp = $cp;
}
/**
* @return string
*/
public function getVille(): ?string
{
return $this->ville;
}
/**
* @param string $ville
*/
public function setVille($ville): void
{
$this->ville = $ville;
}
/**
* @return string
*/
public function getPays(): ?string
{
return $this->pays;
}
/**
* @param string $pays
*/
public function setPays($pays): void
{
$this->pays = $pays;
}
/**
* @return string
*/
public function getTel(): ?string
{
return $this->tel;
}
/**
* @param string $tel
*/
public function setTel($tel): void
{
$this->tel = $tel;
}
/**
* @return string
*/
public function getGsm(): ?string
{
return $this->gsm;
}
/**
* @param string $gsm
*/
public function setGsm($gsm): void
{
$this->gsm = $gsm;
}
public function getEmail(): ?string
{
return $this->email;
}
public function setEmail(string $email): self
{
$this->email = $email;
return $this;
}
/**
* A visual identifier that represents this user.
*
* @see UserInterface
*/
public function getUsername(): string
{
return $this->username;
}
public function setUsername(string $username): self
{
$this->username = $username;
return $this;
}
/**
* @see UserInterface
*/
public function getRoles(): array
{
$roles = $this->roles;
// guarantee every user at least has ROLE_USER
$roles[] = 'ROLE_USER';
return array_unique($roles);
}
public function setRoles(array $roles): self
{
$this->roles = $roles;
return $this;
}
/**
* @see UserInterface
*/
public function getPassword(): string
{
return (string) $this->password;
}
public function setPassword(string $password): self
{
$this->password = $password;
return $this;
}
/**
* @see UserInterface
*/
public function getSalt()
{
return;
}
/**
* @see UserInterface
*/
public function eraseCredentials()
{
// If you store any temporary, sensitive data on the user, clear it here
// $this->plainPassword = null;
}
}
'''
-> I'm not including my custom user provider as i know it to work (it correctly returns the user)
-> My user passwords are indeed "in clear", this is a very specific scenario which poses no security threat
security:
session_fixation_strategy: none