bug symfony#49526 [Security] Migrate the session on login only when the user changes (nicolas-grekas)

wouterj · wouterj · commit 7be1d8d7b138 · 2023-02-28T11:48:24.000+01:00
This PR was merged into the 5.4 branch. Discussion ---------- [Security] Migrate the session on login only when the user changes | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix symfony#49194 | License | MIT | Doc PR | - As described in the linked issue, the recent security fix breaks submitting forms when stateless authenticators are mixed with stateful CSRF storage. This PR fixes the issue by ensuring that the session is *not* migrated when the user selected by the stateless authenticator is the same as the one retrieved from the session. In order to do so, I had add to the previous token to `LoginSuccessEvent`. /cc `@wouterj` `@weaverryan` `@stof` can you please have a look? This should be part of the next release if possible. Commits ------- 238f25c [Security] Migrate the session on login only when the user changes
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php
@@ -49,6 +49,7 @@
                 abstract_arg('Authenticators'),
                 service('logger')->nullOnInvalid(),
                 param('security.authentication.hide_user_not_found'),
+                service('security.token_storage'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
             ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
diff --git a/src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php b/src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AccountStatusException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
@@ -49,12 +50,13 @@ class GuardAuthenticationListener extends AbstractListener
     private $logger;
     private $rememberMeServices;
     private $hideUserNotFoundExceptions;
+    private $tokenStorage;
 
     /**
      * @param string                                      $providerKey         The provider (i.e. firewall) key
      * @param iterable<array-key, AuthenticatorInterface> $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationProvider
      */
-    public function __construct(GuardAuthenticatorHandler $guardHandler, AuthenticationManagerInterface $authenticationManager, string $providerKey, iterable $guardAuthenticators, LoggerInterface $logger = null, bool $hideUserNotFoundExceptions = true)
+    public function __construct(GuardAuthenticatorHandler $guardHandler, AuthenticationManagerInterface $authenticationManager, string $providerKey, iterable $guardAuthenticators, LoggerInterface $logger = null, bool $hideUserNotFoundExceptions = true, TokenStorageInterface $tokenStorage = null)
     {
         if (empty($providerKey)) {
             throw new \InvalidArgumentException('$providerKey must not be empty.');
@@ -66,6 +68,7 @@ public function __construct(GuardAuthenticatorHandler $guardHandler, Authenticat
         $this->guardAuthenticators = $guardAuthenticators;
         $this->logger = $logger;
         $this->hideUserNotFoundExceptions = $hideUserNotFoundExceptions;
+        $this->tokenStorage = $tokenStorage;
     }
 
     /**
@@ -135,6 +138,7 @@ public function authenticate(RequestEvent $event)
     private function executeGuardAuthenticator(string $uniqueGuardKey, AuthenticatorInterface $guardAuthenticator, RequestEvent $event)
     {
         $request = $event->getRequest();
+        $previousToken = $this->tokenStorage ? $this->tokenStorage->getToken() : null;
         try {
             if (null !== $this->logger) {
                 $this->logger->debug('Calling getCredentials() on guard authenticator.', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($guardAuthenticator)]);
@@ -162,7 +166,11 @@ private function executeGuardAuthenticator(string $uniqueGuardKey, Authenticator
             }
 
             // sets the token on the token storage, etc
-            $this->guardHandler->authenticateWithToken($token, $request, $this->providerKey);
+            if ($this->tokenStorage) {
+                $this->guardHandler->authenticateWithToken($token, $request, $this->providerKey, $previousToken);
+            } else {
+                $this->guardHandler->authenticateWithToken($token, $request, $this->providerKey);
+            }
         } catch (AuthenticationException $e) {
             // oh no! Authentication failed!
 
diff --git a/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php b/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
@@ -56,9 +56,9 @@ public function __construct(TokenStorageInterface $tokenStorage, EventDispatcher
     /**
      * Authenticates the given token in the system.
      */
-    public function authenticateWithToken(TokenInterface $token, Request $request, string $providerKey = null)
+    public function authenticateWithToken(TokenInterface $token, Request $request, string $providerKey = null, TokenInterface $previousToken = null)
     {
-        $this->migrateSession($request, $token, $providerKey);
+        $this->migrateSession($request, $token, $providerKey, 3 < \func_num_args() ? $previousToken : $this->tokenStorage->getToken());
         $this->tokenStorage->setToken($token);
 
         if (null !== $this->dispatcher) {
@@ -91,7 +91,7 @@ public function authenticateUserAndHandleSuccess(UserInterface $user, Request $r
         // create an authenticated token for the User
         $token = $authenticator->createAuthenticatedToken($user, $providerKey);
         // authenticate this in the system
-        $this->authenticateWithToken($token, $request, $providerKey);
+        $this->authenticateWithToken($token, $request, $providerKey, $this->tokenStorage->getToken());
 
         // return the success metric
         return $this->handleAuthenticationSuccess($token, $request, $authenticator, $providerKey);
@@ -122,12 +122,21 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn
         $this->sessionStrategy = $sessionStrategy;
     }
 
-    private function migrateSession(Request $request, TokenInterface $token, ?string $providerKey)
+    private function migrateSession(Request $request, TokenInterface $token, ?string $providerKey, ?TokenInterface $previousToken)
     {
         if (\in_array($providerKey, $this->statelessProviderKeys, true) || !$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php b/src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php
@@ -84,7 +84,7 @@ public function authenticateUser(UserInterface $user, AuthenticatorInterface $au
         $token = $this->eventDispatcher->dispatch(new AuthenticationTokenCreatedEvent($token, $passport))->getAuthenticatedToken();
 
         // authenticate this in the system
-        return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator);
+        return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator, $this->tokenStorage->getToken());
     }
 
     public function supports(Request $request): ?bool
@@ -174,6 +174,7 @@ private function executeAuthenticators(array $authenticators, Request $request):
     private function executeAuthenticator(AuthenticatorInterface $authenticator, Request $request): ?Response
     {
         $passport = null;
+        $previousToken = $this->tokenStorage->getToken();
 
         try {
             // get the passport from the Authenticator
@@ -224,7 +225,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
         }
 
         // success! (sets the token on the token storage, etc)
-        $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator);
+        $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator, $previousToken);
         if ($response instanceof Response) {
             return $response;
         }
@@ -236,7 +237,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
         return null;
     }
 
-    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator): ?Response
+    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator, ?TokenInterface $previousToken): ?Response
     {
         // @deprecated since Symfony 5.3
         $user = $authenticatedToken->getUser();
@@ -252,7 +253,7 @@ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken,
             $this->eventDispatcher->dispatch($loginEvent, SecurityEvents::INTERACTIVE_LOGIN);
         }
 
-        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName));
+        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName, $previousToken));
 
         return $loginSuccessEvent->getResponse();
     }
diff --git a/src/Symfony/Component/Security/Http/Event/LoginSuccessEvent.php b/src/Symfony/Component/Security/Http/Event/LoginSuccessEvent.php
@@ -37,14 +37,15 @@ class LoginSuccessEvent extends Event
     private $authenticator;
     private $passport;
     private $authenticatedToken;
+    private $previousToken;
     private $request;
     private $response;
     private $firewallName;
 
     /**
      * @param Passport $passport
      */
-    public function __construct(AuthenticatorInterface $authenticator, PassportInterface $passport, TokenInterface $authenticatedToken, Request $request, ?Response $response, string $firewallName)
+    public function __construct(AuthenticatorInterface $authenticator, PassportInterface $passport, TokenInterface $authenticatedToken, Request $request, ?Response $response, string $firewallName, TokenInterface $previousToken = null)
     {
         if (!$passport instanceof Passport) {
             trigger_deprecation('symfony/security-http', '5.4', 'Not passing an instance of "%s" as "$passport" argument of "%s()" is deprecated, "%s" given.', Passport::class, __METHOD__, get_debug_type($passport));
@@ -53,6 +54,7 @@ public function __construct(AuthenticatorInterface $authenticator, PassportInter
         $this->authenticator = $authenticator;
         $this->passport = $passport;
         $this->authenticatedToken = $authenticatedToken;
+        $this->previousToken = $previousToken;
         $this->request = $request;
         $this->response = $response;
         $this->firewallName = $firewallName;
@@ -83,6 +85,11 @@ public function getAuthenticatedToken(): TokenInterface
         return $this->authenticatedToken;
     }
 
+    public function getPreviousToken(): ?TokenInterface
+    {
+        return $this->previousToken;
+    }
+
     public function getRequest(): Request
     {
         return $this->request;
diff --git a/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php b/src/Symfony/Component/Security/Http/EventListener/SessionStrategyListener.php
@@ -43,6 +43,16 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void
             return;
         }
 
+        if ($previousToken = $event->getPreviousToken()) {
+            // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionAuthenticationStrategy->onAuthentication($request, $token);
     }
 
diff --git a/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php
@@ -133,12 +133,14 @@ public function authenticate(RequestEvent $event)
                 throw new SessionUnavailableException('Your session has timed out, or you have disabled cookies.');
             }
 
+            $previousToken = $this->tokenStorage->getToken();
+
             if (null === $returnValue = $this->attemptAuthentication($request)) {
                 return;
             }
 
             if ($returnValue instanceof TokenInterface) {
-                $this->sessionStrategy->onAuthentication($request, $returnValue);
+                $this->migrateSession($request, $returnValue, $previousToken);
 
                 $response = $this->onSuccess($request, $returnValue);
             } elseif ($returnValue instanceof Response) {
@@ -226,4 +228,18 @@ private function onSuccess(Request $request, TokenInterface $token): Response
 
         return $response;
     }
+
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
+    {
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
+        $this->sessionStrategy->onAuthentication($request, $token);
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php b/src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php
@@ -98,13 +98,14 @@ public function authenticate(RequestEvent $event)
         }
 
         try {
+            $previousToken = $token;
             $token = $this->authenticationManager->authenticate(new PreAuthenticatedToken($user, $credentials, $this->providerKey));
 
             if (null !== $this->logger) {
                 $this->logger->info('Pre-authentication successful.', ['token' => (string) $token]);
             }
 
-            $this->migrateSession($request, $token);
+            $this->migrateSession($request, $token, $previousToken);
 
             $this->tokenStorage->setToken($token);
 
@@ -149,12 +150,21 @@ private function clearToken(AuthenticationException $exception)
      */
     abstract protected function getPreAuthenticatedData(Request $request);
 
-    private function migrateSession(Request $request, TokenInterface $token)
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
     {
         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php
@@ -88,9 +88,10 @@ public function authenticate(RequestEvent $event)
         }
 
         try {
+            $previousToken = $token;
             $token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey));
 
-            $this->migrateSession($request, $token);
+            $this->migrateSession($request, $token, $previousToken);
 
             $this->tokenStorage->setToken($token);
         } catch (AuthenticationException $e) {
@@ -121,12 +122,21 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn
         $this->sessionStrategy = $sessionStrategy;
     }
 
-    private function migrateSession(Request $request, TokenInterface $token)
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
     {
         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php
@@ -101,6 +101,7 @@ public function authenticate(RequestEvent $event)
     {
         $request = $event->getRequest();
         $data = json_decode($request->getContent());
+        $previousToken = $this->tokenStorage->getToken();
 
         try {
             if (!$data instanceof \stdClass) {
@@ -134,7 +135,7 @@ public function authenticate(RequestEvent $event)
             $token = new UsernamePasswordToken($username, $password, $this->providerKey);
 
             $authenticatedToken = $this->authenticationManager->authenticate($token);
-            $response = $this->onSuccess($request, $authenticatedToken);
+            $response = $this->onSuccess($request, $authenticatedToken, $previousToken);
         } catch (AuthenticationException $e) {
             $response = $this->onFailure($request, $e);
         } catch (BadRequestHttpException $e) {
@@ -150,14 +151,14 @@ public function authenticate(RequestEvent $event)
         $event->setResponse($response);
     }
 
-    private function onSuccess(Request $request, TokenInterface $token): ?Response
+    private function onSuccess(Request $request, TokenInterface $token, ?TokenInterface $previousToken): ?Response
     {
         if (null !== $this->logger) {
             // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
             $this->logger->info('User has been authenticated successfully.', ['username' => method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()]);
         }
 
-        $this->migrateSession($request, $token);
+        $this->migrateSession($request, $token, $previousToken);
 
         $this->tokenStorage->setToken($token);
 
@@ -224,12 +225,21 @@ public function setTranslator(TranslatorInterface $translator)
         $this->translator = $translator;
     }
 
-    private function migrateSession(Request $request, TokenInterface $token)
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
     {
         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php
@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
 use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
@@ -28,7 +29,6 @@
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\EventListener\PasswordMigratingListener;
 use Symfony\Component\Security\Http\Tests\Fixtures\DummyAuthenticator;
-use Symfony\Component\Security\Http\Tests\Fixtures\DummyToken;
 
 class PasswordMigratingListenerTest extends TestCase
 {
@@ -140,7 +140,7 @@ private static function createPasswordUpgrader()
 
     private static function createEvent(PassportInterface $passport)
     {
-        return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new DummyToken(), new Request(), null, 'main');
+        return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new NullToken(), new Request(), null, 'main');
     }
 }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/SessionStrategyListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/SessionStrategyListenerTest.php
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/DummySupportsAuthenticator.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/DummySupportsAuthenticator.php
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/DummyToken.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/DummyToken.php

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ public function authenticateUser(UserInterface $user, AuthenticatorInterface $au`
`84`	`84`	`$token = $this->eventDispatcher->dispatch(new AuthenticationTokenCreatedEvent($token, $passport))->getAuthenticatedToken();`
`85`	`85`
`86`	`86`	`// authenticate this in the system`
`87`		`- return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator);`
	`87`	`+ return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator, $this->tokenStorage->getToken());`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`public function supports(Request $request): ?bool`
`@@ -174,6 +174,7 @@ private function executeAuthenticators(array $authenticators, Request $request):`
`174`	`174`	`private function executeAuthenticator(AuthenticatorInterface $authenticator, Request $request): ?Response`
`175`	`175`	`{`
`176`	`176`	`$passport = null;`
	`177`	`+ $previousToken = $this->tokenStorage->getToken();`
`177`	`178`
`178`	`179`	`try {`
`179`	`180`	`// get the passport from the Authenticator`
`@@ -224,7 +225,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req`
`224`	`225`	`}`
`225`	`226`
`226`	`227`	`// success! (sets the token on the token storage, etc)`
`227`		`- $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator);`
	`228`	`+ $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator, $previousToken);`
`228`	`229`	`if ($response instanceof Response) {`
`229`	`230`	`return $response;`
`230`	`231`	`}`
`@@ -236,7 +237,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req`
`236`	`237`	`return null;`
`237`	`238`	`}`
`238`	`239`
`239`		`- private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator): ?Response`
	`240`	`+ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator, ?TokenInterface $previousToken): ?Response`
`240`	`241`	`{`
`241`	`242`	`// @deprecated since Symfony 5.3`
`242`	`243`	`$user = $authenticatedToken->getUser();`
`@@ -252,7 +253,7 @@ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken,`
`252`	`253`	`$this->eventDispatcher->dispatch($loginEvent, SecurityEvents::INTERACTIVE_LOGIN);`
`253`	`254`	`}`
`254`	`255`
`255`		`- $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName));`
	`256`	`+ $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName, $previousToken));`
`256`	`257`
`257`	`258`	`return $loginSuccessEvent->getResponse();`
`258`	`259`	`}`
Original file line number	Diff line number	Diff line change
`@@ -98,13 +98,14 @@ public function authenticate(RequestEvent $event)`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`try {`
	`101`	`+ $previousToken = $token;`
`101`	`102`	`$token = $this->authenticationManager->authenticate(new PreAuthenticatedToken($user, $credentials, $this->providerKey));`
`102`	`103`
`103`	`104`	`if (null !== $this->logger) {`
`104`	`105`	`$this->logger->info('Pre-authentication successful.', ['token' => (string) $token]);`
`105`	`106`	`}`
`106`	`107`
`107`		`- $this->migrateSession($request, $token);`
	`108`	`+ $this->migrateSession($request, $token, $previousToken);`
`108`	`109`
`109`	`110`	`$this->tokenStorage->setToken($token);`
`110`	`111`
`@@ -149,12 +150,21 @@ private function clearToken(AuthenticationException $exception)`
`149`	`150`	`*/`
`150`	`151`	`abstract protected function getPreAuthenticatedData(Request $request);`
`151`	`152`
`152`		`- private function migrateSession(Request $request, TokenInterface $token)`
	`153`	`+ private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)`
`153`	`154`	`{`
`154`	`155`	`if (!$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession()) {`
`155`	`156`	`return;`
`156`	`157`	`}`
`157`	`158`
	`159`	`+ if ($previousToken) {`
	`160`	`+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();`
	`161`	`+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();`
	`162`	`+`
	`163`	`+ if ('' !== ($user ?? '') && $user === $previousUser) {`
	`164`	`+ return;`
	`165`	`+ }`
	`166`	`+ }`
	`167`	`+`
`158`	`168`	`$this->sessionStrategy->onAuthentication($request, $token);`
`159`	`169`	`}`
`160`	`170`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,9 +88,10 @@ public function authenticate(RequestEvent $event)`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`try {`
	`91`	`+ $previousToken = $token;`
`91`	`92`	`$token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey));`
`92`	`93`
`93`		`- $this->migrateSession($request, $token);`
	`94`	`+ $this->migrateSession($request, $token, $previousToken);`
`94`	`95`
`95`	`96`	`$this->tokenStorage->setToken($token);`
`96`	`97`	`} catch (AuthenticationException $e) {`
`@@ -121,12 +122,21 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn`
`121`	`122`	`$this->sessionStrategy = $sessionStrategy;`
`122`	`123`	`}`
`123`	`124`
`124`		`- private function migrateSession(Request $request, TokenInterface $token)`
	`125`	`+ private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)`
`125`	`126`	`{`
`126`	`127`	`if (!$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession()) {`
`127`	`128`	`return;`
`128`	`129`	`}`
`129`	`130`
	`131`	`+ if ($previousToken) {`
	`132`	`+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();`
	`133`	`+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();`
	`134`	`+`
	`135`	`+ if ('' !== ($user ?? '') && $user === $previousUser) {`
	`136`	`+ return;`
	`137`	`+ }`
	`138`	`+ }`
	`139`	`+`
`130`	`140`	`$this->sessionStrategy->onAuthentication($request, $token);`
`131`	`141`	`}`
`132`	`142`	`}`
Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,7 @@ public function authenticate(RequestEvent $event)`
`101`	`101`	`{`
`102`	`102`	`$request = $event->getRequest();`
`103`	`103`	`$data = json_decode($request->getContent());`
	`104`	`+ $previousToken = $this->tokenStorage->getToken();`
`104`	`105`
`105`	`106`	`try {`
`106`	`107`	`if (!$data instanceof \stdClass) {`
`@@ -134,7 +135,7 @@ public function authenticate(RequestEvent $event)`
`134`	`135`	`$token = new UsernamePasswordToken($username, $password, $this->providerKey);`
`135`	`136`
`136`	`137`	`$authenticatedToken = $this->authenticationManager->authenticate($token);`
`137`		`- $response = $this->onSuccess($request, $authenticatedToken);`
	`138`	`+ $response = $this->onSuccess($request, $authenticatedToken, $previousToken);`
`138`	`139`	`} catch (AuthenticationException $e) {`
`139`	`140`	`$response = $this->onFailure($request, $e);`
`140`	`141`	`} catch (BadRequestHttpException $e) {`
`@@ -150,14 +151,14 @@ public function authenticate(RequestEvent $event)`
`150`	`151`	`$event->setResponse($response);`
`151`	`152`	`}`
`152`	`153`
`153`		`- private function onSuccess(Request $request, TokenInterface $token): ?Response`
	`154`	`+ private function onSuccess(Request $request, TokenInterface $token, ?TokenInterface $previousToken): ?Response`
`154`	`155`	`{`
`155`	`156`	`if (null !== $this->logger) {`
`156`	`157`	`// @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0`
`157`	`158`	`$this->logger->info('User has been authenticated successfully.', ['username' => method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()]);`
`158`	`159`	`}`
`159`	`160`
`160`		`- $this->migrateSession($request, $token);`
	`161`	`+ $this->migrateSession($request, $token, $previousToken);`
`161`	`162`
`162`	`163`	`$this->tokenStorage->setToken($token);`
`163`	`164`
`@@ -224,12 +225,21 @@ public function setTranslator(TranslatorInterface $translator)`
`224`	`225`	`$this->translator = $translator;`
`225`	`226`	`}`
`226`	`227`
`227`		`- private function migrateSession(Request $request, TokenInterface $token)`
	`228`	`+ private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)`
`228`	`229`	`{`
`229`	`230`	`if (!$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession()) {`
`230`	`231`	`return;`
`231`	`232`	`}`
`232`	`233`
	`234`	`+ if ($previousToken) {`
	`235`	`+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();`
	`236`	`+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();`
	`237`	`+`
	`238`	`+ if ('' !== ($user ?? '') && $user === $previousUser) {`
	`239`	`+ return;`
	`240`	`+ }`
	`241`	`+ }`
	`242`	`+`
`233`	`243`	`$this->sessionStrategy->onAuthentication($request, $token);`
`234`	`244`	`}`
`235`	`245`	`}`