Hi commit 28bee92c75ad2e02ea229f4dd064372f00a68cdb by Johannes introduced a new $request->hasPreviousSession() check to AbstractAuthenticationListener::handle(), which causes authentication requests to fail if no previous session is available, even if the actual authentication process ran through. I have been using the UsernamePasswordFormAuthentication without redirects (by directly accessing the check_path and configuring a custom successHandler, in order to authenticate via ajax or backend request), which is not possible any more. Since AbstractAuthenticationListener::handle() is final, there also is no easy way to change this behaviour by extending the Listener class. So while I think the hasPreviousSession() is useful in a regular setup, it should be configurable or at least extendable. What are your opinions on the topic?
best regards Stefan -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to symfony-devs@googlegroups.com To unsubscribe from this group, send email to symfony-devs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
