niftycent.com
NiftyCent
US
Login
Marketplace
Discounts

New in Symfony 6.2: Security Improvements (Part 2)

Simpler Programmatic Logout

Contributed by
Arnaud Frézet and Robin Chalas
in #41406.

Similar to the simpler programmatic login feature introduced in Symfony 6.2, we're introducing a simpler way to logout users programmatically. The new method is called logout() and it's defined in the Security service:

use Symfony\Component\Security\Core\Security;
// ...

class SomeService
{
    public function __construct(
        private Security $security,
    ) {
    }

    public function someMethod()
    {
        // fetch a UserInterface object somehow (e.g. from a database)
        $user = ...

        // logout the user programmatically
        $this->security->logout($user);

        // use this optional argument if you prefer to not validate the
        // CSRF token according to the logout listener configuration
        $this->security->logout($user, validateCsrfToken: false);

        // ...
    }
}

Improved Password Form Field

Contributed by
Sébastien Alfaiate
in #46224.

A common practice when working with user passwords is to add the plaintext password field in the form as an unmapped property and store the hashed password in the database. In Symfony 6.2 we're improving the PasswordType field so you can configure more easily the property where the hashed password is stored:

$builder->add('plainPassword', PasswordType::class, [
    // the result of hashing the plaintext password will be stored in
    // a property called 'password' of the object passed to the form
    'hash_property_path' => 'password',

    // to minimize the risk of leaking the plaintext password, the
    // 'hash_property_path' option can only be used in unmapped properties
    'mapped' => false,
]);

Simpler Logout CSRF Protection

Contributed by
Wouter de Jong
in #46580.

In previous Symfony versions we simplified the configuration of the login CSRF protection. In Symfony 6.2 we're also simplifying the logout CSRF protection. Instead of dealing with the low-level csrf_token_generator option, you can now set enable_csrf: true in the logout configuration of your firewall to get the same result:

security:
   firewalls:
     main:
       logout:
-        csrf_token_generator: security.csrf.token_generator
+        enable_csrf: true

The csrf_token_generator option is still available in case your application uses a custom CSRF token generator.

Easier Way to Get the Firewall Configuration

Contributed by
Hugo Alliaume
in #46066.

The firewall is one of the most important elements of security: it defines which parts of your application are secured and how your users will be able to authenticate (e.g. login form, API token, etc).

In Symfony 6.2 we're making it easier to obtain the information of the firewall for a given request thanks to a new getFirewallConfig() method added to the Security service:

use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Security;
// ...

class SomeService
{
    public function __construct(
        private Security $security,
        private RequestStack $requestStack,
    ) {
    }

    public function someMethod()
    {
        $request = $this->requestStack->getCurrentRequest();
        /** @var FirewallConfig|null */
        $firewallConfig = $this->security->getFirewallConfig($request);

        $firewallName = $firewallConfig?->getName();

        // ...
    }
}
            <hr style="margin-bottom: 5px" />
            <div style="font-size: 90%">
                <a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
            </div>

https://symfony.com/blog/new-in-symfony-6-2-security-improvements-part-2?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Created 2y | Nov 24, 2022, 12:20:09 PM


Login to add comment

Other posts in this group

Symfony 7.2.6 released
Symfony 7.2.6 released

Symfony 7.2.6 has just been released. Here is the list of the most important changes since 7.2.5:

bug #60288 [VarExporter] dump default value for property hooks if present (@xabbuh)

bug #60267 [C

May 2, 2025, 12:40:05 PM | Symfony
Symfony 7.3.0-BETA1 released
Symfony 7.3.0-BETA1 released

Symfony 7.3.0-BETA1 has just been released. Here is the list of the most important changes since 7.2:

feature #60232 Add PHP config support for routing (@fabpot)

feature #60102 [HttpFoundation] A

May 2, 2025, 12:40:04 PM | Symfony
SymfonyOnline June 2025 : Efficient Web Scraping with Symfony & PHP
SymfonyOnline June 2025 : Efficient Web Scraping with Symfony & PHP

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

May 2, 2025, 12:40:03 PM | Symfony
New in Symfony 7.3: Configurable Compound Rate Limiter
New in Symfony 7.3: Configurable Compound Rate Limiter

Contributed by Kevin Bond in

May 2, 2025, 10:20:09 AM | Symfony
Symfony 6.4.21 released
Symfony 6.4.21 released

Symfony 6.4.21 has just been released. Here is the list of the most important changes since 6.4.20:

bug #60288 [VarExporter] dump default value for property hooks if present (@xabbuh)

bug #60268

May 2, 2025, 10:20:08 AM | Symfony
New in Symfony 7.3: Extra Runtime Dot Env Files
New in Symfony 7.3: Extra Runtime Dot Env Files

Contributed by Nathan Page in

May 1, 2025, 8:40:12 AM | Symfony
SymfonyOnline June 2025: Where Have the Women of Tech History Gone?
SymfonyOnline June 2025: Where Have the Women of Tech History Gone?

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

Apr 30, 2025, 2:20:02 PM | Symfony
Techie
Techie