New in Symfony 6.2: Security Improvements (Part 2)

November 24, 2022 Published by Avatar of Javier Eguiluz Javier Eguiluz

Symfony 6.2 is backed by:

Les-Tilleuls.coop is a team of 70+ Symfony experts who can help you design, develop and fix your projects. We provide a wide range of professional services including development, consulting, coaching, training and audits. We also are highly skilled in JS, Go and DevOps. We are a worker cooperative!
Sulu is the CMS for Symfony developers. It provides pre-built content-management features while giving developers the freedom to build, deploy, and maintain custom solutions using full-stack Symfony. Sulu is ideal for creating complex websites, integrating external tools, and building custom-built solutions.

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Simpler Programmatic Logout

Arnaud Frézet Robin Chalas
Contributed by Arnaud Frézet and Robin Chalas in #41406

Similar to the simpler programmatic login feature introduced in Symfony 6.2, we're introducing a simpler way to logout users programmatically. The new method is called logout() and it's defined in the Security service:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
use Symfony\Bundle\SecurityBundle\Security;
// ...

class SomeService
{
    public function __construct(
        private Security $security,
    ) {
    }

    public function someMethod()
    {
        // logout the user programmatically
        $this->security->logout();

        // use this optional argument if you prefer to not validate the
        // CSRF token according to the logout listener configuration
        $this->security->logout(validateCsrfToken: false);

        // ...
    }
}

Improved Password Form Field

Sébastien Alfaiate
Contributed by Sébastien Alfaiate in #46224

A common practice when working with user passwords is to add the plaintext password field in the form as an unmapped property and store the hashed password in the database. In Symfony 6.2 we're improving the PasswordType field so you can configure more easily the property where the hashed password is stored:

1
2
3
4
5
6
7
8
9
$builder->add('plainPassword', PasswordType::class, [
    // the result of hashing the plaintext password will be stored in
    // a property called 'password' of the object passed to the form
    'hash_property_path' => 'password',

    // to minimize the risk of leaking the plaintext password, the
    // 'hash_property_path' option can only be used in unmapped properties
    'mapped' => false,
]);

Simpler Logout CSRF Protection

Wouter de Jong
Contributed by Wouter de Jong in #46580

In previous Symfony versions we simplified the configuration of the login CSRF protection. In Symfony 6.2 we're also simplifying the logout CSRF protection. Instead of dealing with the low-level csrf_token_generator option, you can now set enable_csrf: true in the logout configuration of your firewall to get the same result:

1
2
3
4
5
6
security:
   firewalls:
     main:
       logout:
-        csrf_token_generator: security.csrf.token_generator
+        enable_csrf: true

The csrf_token_generator option is still available in case your application uses a custom CSRF token generator.

Easier Way to Get the Firewall Configuration

Hugo Alliaume
Contributed by Hugo Alliaume in #46066

The firewall is one of the most important elements of security: it defines which parts of your application are secured and how your users will be able to authenticate (e.g. login form, API token, etc).

In Symfony 6.2 we're making it easier to obtain the information of the firewall for a given request thanks to a new getFirewallConfig() method added to the Security service:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
use Symfony\Component\HttpFoundation\RequestStack;
// ...

class SomeService
{
    public function __construct(
        private Security $security,
        private RequestStack $requestStack,
    ) {
    }

    public function someMethod()
    {
        $request = $this->requestStack->getCurrentRequest();
        /** @var FirewallConfig|null */
        $firewallConfig = $this->security->getFirewallConfig($request);

        $firewallName = $firewallConfig?->getName();

        // ...
    }
}
Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Wouter de Jong
Wouter de Jong said on Nov 24, 2022
The automatically hashing password form field is such a cool little life improvement!
Avatar of Nicolas Sauveur
Nicolas Sauveur said on Dec 1, 2022
Looks like `$this->security->logout()` does not take the user as parameter.
Avatar of Manuel Becker
Manuel Becker said on Dec 5, 2022
Just wanted to try this new functionality because it sounds so great to be able to log out any user and agree with Nicolas... there is no user parameter. It would be awesome to have this functionality because as an Admin it's quite important to be able to log out a specific user when the account needs to be disabled for whatever reason.
Avatar of Wouter de Jong
Wouter de Jong said on Dec 6, 2022
Indeed the code example is wrong. Here you can see the docs of this feature: https://symfony.com/doc/current/security.html#logout-programmatically
Avatar of Javier Eguiluz
Javier Eguiluz Certified said on Dec 6, 2022
We've updated the code example. Thanks for your help!

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.