NelmioSecurityBundle icon indicating copy to clipboard operation
NelmioSecurityBundle copied to clipboard

Published 20 hours ago verified publisher icon nelmio

Incompatible with Symfony's clearCookie() strategy

Open johnpez opened this issue 2 years ago • 1 comments

Symfony's default method of deleting cookies is calling $response->headers->clearCookie('cookie_name') which sets the cookie to have a value of null and an expiration in 1 second.

This breaks if the cookie is signed, on line 79 of SignedCookieListener.php, when the code attempts to sign the "null" value.

$this->signer->getSignedValue($cookie->getValue()) fails when $cookie->getValue() returns null.

I'm not entirely sure what the cleanest solution is. Either changing the above line to not try to sign them if the value is null (probably?). Or, maybe converting null values to a string?

For now, my workaround is to avoid clearCookie and to set the cookie to an expiration of 1 and a value of '', but this is messier than using the built-in Symfony method.

johnpez avatar Jul 29 '22 20:07 johnpez

I think skipping the signing if we detect a null value sounds good, if you want to send a PR

Seldaek avatar Aug 12 '22 13:08 Seldaek