Aloha, 1) I think there is a potential security danger because of the missing CSRF protection in the login form. Attackers could register an account that they try to make look a bit like that of a potential "victim", presenting the victim with a link that logs them in and then hope that they give them some information in that account as the victim could believe he was just logged into his own account.
Therefore I think there also needs to be CSRF protection in there. 2) Speaking of CSRF protection: The new array storage container is nice for tests, however this highlights the need to get rid of the session_id() calls inside the form layer. We need to move this to the storage class and make the session_id() either a parameter to the form layer or inject the session itself (for example of we are worried about the session id changing during the request). regards, Lukas Kahwe Smith m...@pooteeweet.org -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
