Hi Ryan, Yes I see your point, any it may be the behaviour that is intended, but I don't think it's what we should really do as it doesn't make sense to me.
Look at it like this; A user comes to the site, and through the remember me cookie, they are authenticated based on their previous login. The page they are accessing happens to be one they do not have access to, maybe their roles have changed since they last were on the site, maybe something else has changed, but whatever the reason, the user itself has not changed, and is authenticated. Therefore, they should be presented with an access denied status code and be logged in still ,rather than not being logged in and being shown a login form. Does my explanation make sense? Thanks, Chris -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
