Simpler Programmatic Logout
Contributed by
Arnaud Frézet
and Robin Chalas
in #41406.
Similar to the simpler programmatic login feature introduced in Symfony 6.2,
we're introducing a simpler way to logout users programmatically. The new method
is called logout() and it's defined in the Security service:
use Symfony\Component\Security\Core\Security;
// ...
class SomeService
{
public function __construct(
private Security $security,
) {
}
public function someMethod()
{
// fetch a UserInterface object somehow (e.g. from a database)
$user = ...
// logout the user programmatically
$this->security->logout($user);
// use this optional argument if you prefer to not validate the
// CSRF token according to the logout listener configuration
$this->security->logout($user, validateCsrfToken: false);
// ...
}
}Improved Password Form Field
Contributed by
Sébastien Alfaiate
in #46224.
A common practice when working with user passwords is to add the plaintext password field in the form as an unmapped property and store the hashed password in the database. In Symfony 6.2 we're improving the PasswordType field so you can configure more easily the property where the hashed password is stored:
$builder->add('plainPassword', PasswordType::class, [
// the result of hashing the plaintext password will be stored in
// a property called 'password' of the object passed to the form
'hash_property_path' => 'password',
// to minimize the risk of leaking the plaintext password, the
// 'hash_property_path' option can only be used in unmapped properties
'mapped' => false,
]);Simpler Logout CSRF Protection
Contributed by
Wouter de Jong
in #46580.
In previous Symfony versions we simplified the configuration of the login CSRF
protection. In Symfony 6.2 we're also simplifying the logout CSRF protection.
Instead of dealing with the low-level csrf_token_generator option, you can
now set enable_csrf: true in the logout configuration of your firewall to
get the same result:
security:
firewalls:
main:
logout:
- csrf_token_generator: security.csrf.token_generator
+ enable_csrf: trueThe csrf_token_generator option is still available in case your application
uses a custom CSRF token generator.
Easier Way to Get the Firewall Configuration
Contributed by
Hugo Alliaume
in #46066.
The firewall is one of the most important elements of security: it defines which parts of your application are secured and how your users will be able to authenticate (e.g. login form, API token, etc).
In Symfony 6.2 we're making it easier to obtain the information of the firewall
for a given request thanks to a new getFirewallConfig() method added to the
Security service:
use Symfony\Bundle\SecurityBundle\Security\FirewallConfig;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Security;
// ...
class SomeService
{
public function __construct(
private Security $security,
private RequestStack $requestStack,
) {
}
public function someMethod()
{
$request = $this->requestStack->getCurrentRequest();
/** @var FirewallConfig|null */
$firewallConfig = $this->security->getFirewallConfig($request);
$firewallName = $firewallConfig?->getName();
// ...
}
} <hr style="margin-bottom: 5px" />
<div style="font-size: 90%">
<a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
</div>Accedi per aggiungere un commento
Altri post in questo gruppo
We were absolutely thrilled to gather with the incredible Symfony community for the first time in Vienna, Austria, from December 5th to 6th, surrounded by the warm and festive atmosphere of the
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.
💻
Symfony has been active on X, Mastodon, and Bluesky for some time, but until recently, not all platforms received equal attention. Since Twitter (now X) was our first social network, all blog posts we
SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here.
As we are now unveiling th
Affected versions
Twig versions >=3.16.0,<3.19.0 are affected by this security issue.
The issue has been fixed in Twig 3.19.0.
Description
When using the null coalesce operator (??), output esc
Symfony 6.4.18 has just been released. Here is the list of the most important changes since 6.4.17:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
Symfony 7.1.11 has just been released. Here is the list of the most important changes since 7.1.10:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
