clear CSRF tokens when the user is logged out

Author: xabbuh

Csrf/Tests/TokenStorage/NativeSessionTokenStorageTest.php

@@ -116,4 +116,32 @@ public function testRemoveExistingToken()
         $this->assertSame('TOKEN', $this->storage->removeToken('token_id'));
         $this->assertFalse($this->storage->hasToken('token_id'));
     }
+
+    public function testClearRemovesAllTokensFromTheConfiguredNamespace()
+    {
+        $this->storage->setToken('foo', 'bar');
+        $this->storage->clear();
+
+        $this->assertFalse($this->storage->hasToken('foo'));
+        $this->assertArrayNotHasKey(self::SESSION_NAMESPACE, $_SESSION);
+    }
+
+    public function testClearDoesNotRemoveSessionValuesFromOtherNamespaces()
+    {
+        $_SESSION['foo']['bar'] = 'baz';
+        $this->storage->clear();
+
+        $this->assertArrayHasKey('foo', $_SESSION);
+        $this->assertArrayHasKey('bar', $_SESSION['foo']);
+        $this->assertSame('baz', $_SESSION['foo']['bar']);
+    }
+
+    public function testClearDoesNotRemoveNonNamespacedSessionValues()
+    {
+        $_SESSION['foo'] = 'baz';
+        $this->storage->clear();
+
+        $this->assertArrayHasKey('foo', $_SESSION);
+        $this->assertSame('baz', $_SESSION['foo']);
+    }
 }

Csrf/Tests/TokenStorage/SessionTokenStorageTest.php

@@ -129,4 +129,31 @@ public function testRemoveExistingTokenFromActiveSession()
 
         $this->assertSame('TOKEN', $this->storage->removeToken('token_id'));
     }
+
+    public function testClearRemovesAllTokensFromTheConfiguredNamespace()
+    {
+        $this->storage->setToken('foo', 'bar');
+        $this->storage->clear();
+
+        $this->assertFalse($this->storage->hasToken('foo'));
+        $this->assertFalse($this->session->has(self::SESSION_NAMESPACE.'/foo'));
+    }
+
+    public function testClearDoesNotRemoveSessionValuesFromOtherNamespaces()
+    {
+        $this->session->set('foo/bar', 'baz');
+        $this->storage->clear();
+
+        $this->assertTrue($this->session->has('foo/bar'));
+        $this->assertSame('baz', $this->session->get('foo/bar'));
+    }
+
+    public function testClearDoesNotRemoveNonNamespacedSessionValues()
+    {
+        $this->session->set('foo', 'baz');
+        $this->storage->clear();
+
+        $this->assertTrue($this->session->has('foo'));
+        $this->assertSame('baz', $this->session->get('foo'));
+    }
 }

Csrf/TokenStorage/ClearableTokenStorageInterface.php

@@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Csrf\TokenStorage;
+
+/**
+ * @author Christian Flothmann <christian.flothmann@sensiolabs.de>
+ */
+interface ClearableTokenStorageInterface extends TokenStorageInterface
+{
+    /**
+     * Removes all CSRF tokens.
+     */
+    public function clear();
+}

Csrf/TokenStorage/NativeSessionTokenStorage.php

@@ -18,7 +18,7 @@
  *
  * @author Bernhard Schussek <bschussek@gmail.com>
  */
-class NativeSessionTokenStorage implements TokenStorageInterface
+class NativeSessionTokenStorage implements ClearableTokenStorageInterface
 {
     /**
      * The namespace used to store values in the session.
@@ -96,6 +96,14 @@ public function removeToken($tokenId)
         return $token;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function clear()
+    {
+        unset($_SESSION[$this->namespace]);
+    }
+
     private function startSession()
     {
         if (\PHP_VERSION_ID >= 50400) {

Csrf/TokenStorage/SessionTokenStorage.php

@@ -19,7 +19,7 @@
  *
  * @author Bernhard Schussek <bschussek@gmail.com>
  */
-class SessionTokenStorage implements TokenStorageInterface
+class SessionTokenStorage implements ClearableTokenStorageInterface
 {
     /**
      * The namespace used to store values in the session.
@@ -92,4 +92,16 @@ public function removeToken($tokenId)
 
         return $this->session->remove($this->namespace.'/'.$tokenId);
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function clear()
+    {
+        foreach (array_keys($this->session->all()) as $key) {
+            if (0 === strpos($key, $this->namespace.'/')) {
+                $this->session->remove($key);
+            }
+        }
+    }
 }

Http/Logout/CsrfTokenClearingLogoutHandler.php

@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Logout;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
+
+/**
+ * @author Christian Flothmann <christian.flothmann@sensiolabs.de>
+ */
+class CsrfTokenClearingLogoutHandler implements LogoutHandlerInterface
+{
+    private $csrfTokenStorage;
+
+    public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)
+    {
+        $this->csrfTokenStorage = $csrfTokenStorage;
+    }
+
+    public function logout(Request $request, Response $response, TokenInterface $token)
+    {
+        $this->csrfTokenStorage->clear();
+    }
+}

Http/Tests/Logout/CsrfTokenClearingLogoutHandlerTest.php

@@ -0,0 +1,76 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Tests\Logout;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
+use Symfony\Component\Security\Http\Logout\CsrfTokenClearingLogoutHandler;
+
+class CsrfTokenClearingLogoutHandlerTest extends TestCase
+{
+    private $session;
+    private $csrfTokenStorage;
+    private $csrfTokenClearingLogoutHandler;
+
+    protected function setUp()
+    {
+        $this->session = new Session(new MockArraySessionStorage());
+        $this->csrfTokenStorage = new SessionTokenStorage($this->session, 'foo');
+        $this->csrfTokenStorage->setToken('foo', 'bar');
+        $this->csrfTokenStorage->setToken('foobar', 'baz');
+        $this->csrfTokenClearingLogoutHandler = new CsrfTokenClearingLogoutHandler($this->csrfTokenStorage);
+    }
+
+    public function testCsrfTokenCookieWithSameNamespaceIsRemoved()
+    {
+        $this->assertSame('bar', $this->session->get('foo/foo'));
+        $this->assertSame('baz', $this->session->get('foo/foobar'));
+
+        $this->csrfTokenClearingLogoutHandler->logout(new Request(), new Response(), $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock());
+
+        $this->assertFalse($this->csrfTokenStorage->hasToken('foo'));
+        $this->assertFalse($this->csrfTokenStorage->hasToken('foobar'));
+
+        $this->assertFalse($this->session->has('foo/foo'));
+        $this->assertFalse($this->session->has('foo/foobar'));
+    }
+
+    public function testCsrfTokenCookieWithDifferentNamespaceIsNotRemoved()
+    {
+        $barNamespaceCsrfSessionStorage = new SessionTokenStorage($this->session, 'bar');
+        $barNamespaceCsrfSessionStorage->setToken('foo', 'bar');
+        $barNamespaceCsrfSessionStorage->setToken('foobar', 'baz');
+
+        $this->assertSame('bar', $this->session->get('foo/foo'));
+        $this->assertSame('baz', $this->session->get('foo/foobar'));
+        $this->assertSame('bar', $this->session->get('bar/foo'));
+        $this->assertSame('baz', $this->session->get('bar/foobar'));
+
+        $this->csrfTokenClearingLogoutHandler->logout(new Request(), new Response(), $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock());
+
+        $this->assertTrue($barNamespaceCsrfSessionStorage->hasToken('foo'));
+        $this->assertTrue($barNamespaceCsrfSessionStorage->hasToken('foobar'));
+        $this->assertSame('bar', $barNamespaceCsrfSessionStorage->getToken('foo'));
+        $this->assertSame('baz', $barNamespaceCsrfSessionStorage->getToken('foobar'));
+        $this->assertFalse($this->csrfTokenStorage->hasToken('foo'));
+        $this->assertFalse($this->csrfTokenStorage->hasToken('foobar'));
+
+        $this->assertFalse($this->session->has('foo/foo'));
+        $this->assertFalse($this->session->has('foo/foobar'));
+        $this->assertSame('bar', $this->session->get('bar/foo'));
+        $this->assertSame('baz', $this->session->get('bar/foobar'));
+    }
+}

Http/composer.json

@@ -24,9 +24,12 @@
     },
     "require-dev": {
         "symfony/routing": "~2.2",
-        "symfony/security-csrf": "~2.4",
+        "symfony/security-csrf": "~2.7.48 || ~2.8.41",
         "psr/log": "~1.0"
     },
+    "conflict": {
+        "symfony/security-csrf": "<2.7.48 || >=2.8.0,<2.8.41 || >=3.0.0"
+    },
     "suggest": {
         "symfony/security-csrf": "For using tokens to protect authentication/logout attempts",
         "symfony/routing": "For using the HttpUtils class to create sub-requests, redirect the user, and match URLs"