Logged out on every backend navigation

[patrickjDE]

After updating to Symfony 3.4.11, I'm getting a new Session Cookie on every page (re)load, and thus get logged out of the backend on every navigation. This renders the backend completely unusable. I'd guess one of the changes for https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication causes this issue, but can't really dig any deeper into it, to see if the underlying issue is to be fixed by Contao or Symfony.

Running Contao 4.4.17 with Symfony >=3.4.9.

PS: Before this issue is dismissed because I'm not running the latest Version of Contao, mind that I'm only running 4.4.17 because 4.4.18 is stuck with sf 3.4.6 (due to the symfony/security conflict added for #1466, which has been resolved in Symfony 3.4.9). When Contao 4.4.19 changes the confict with symfony/security to 3.4.7||3.4.8 and thus allows updating symfony to 3.4.11 this issue will probably hit 4.4.19.

[leofeyer]

This is true unfortunately; I have noticed the same yesterday. 😢

@contao/developers /cc

[leofeyer]

This change in Symfony seems to cause the problem. See symfony/symfony#27395.

[weaverryan]

Can you guys put a bit more info about how Cantao's authentication works on symfony/symfony#27395? See my comment here: https://github.com/symfony/symfony/issues/27395#issuecomment-393157829 - I need some more details to determine why authentication is happening on every request (which is what causes the session regeneration).

[saibotd]

For now a quick "fix" is adding to your composer.json:

"conflict": {
    …
    "symfony/symfony": "3.4.11|3.3.17"
},

And remove the line

"roave/security-advisories": "dev-master",

From require.
Be sure to revert these changes once Contao got an update.

Edit: If you don't have the line "roave/security-advisories": "dev-master", don't re-add it.

[fritzmg]

"roave/security-advisories": "dev-master",

You should not re-add this. It's gone in the newest versions of the Contao Managed Edition.

[m-vo]

Imo you should never remove this and add it to every installation. :smiley: The reason it was removed, wasn't because it's a bad idea in general (but rather that it's impossible to manage the requirement this way + users must understand the implications).

[fritzmg]

This requirement increases the memory consumption during dependency resolving by ~50% though.

[fritzmg]

@saibotd a better conflict would be

"contao/core-bundle": "<4.4.18"

This ensures that you get the newest Contao version and due to the conflict within the core-bundle it also ensures that you only get Symfony 3.4.6 and nothing higher (at the moment).

[christian-kolb]

To make matters worse there are Symfony security issues in the now locked 3.4.6:

• CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password
• CVE-2018-11386: Denial of service when using PDOSessionHandler
• CVE-2018-11406: CSRF Token Fixation
• CVE-2018-11408: Open redirect vulnerability on security handlers
• CVE-2018-11385: Session Fixation Issue for Guard Authentication

[leofeyer]

I have adjusted the version constraint in 51923ae27ff703d4f17aefd9067d4b062d7f0e83.

[binarious]

Still security issues in the now locked 3.4.10:

symfony/security (v3.4.10)
--------------------------

 * CVE-2018-11406: CVE-2018-11406: CSRF Token Fixation
   https://symfony.com/cve-2018-11406
 * CVE-2018-11385: CVE-2018-11385: Session Fixation Issue for Guard Authentication
   https://symfony.com/cve-2018-11385

[bytehead]

It will be fixed with symfony/security 3.4.12.

[binarious]

Sure, but at the moment I can't deploy contao without security issues, can I?

[bytehead]

You could theoretically deploy contao/core-bundle 4.5.8 or contao/core-bundle 4.4.18 with symfony/security 3.4.11, but the authentication system won't work then.

TL;DR For a working installation it's not possible until symfony/security 3.4.12 is out.

[leofeyer]

Sure, but at the moment I can't deploy contao without security issues, can I?

You cannot. This is an unfortunate situation and there is nothing we can do except to wait for Symfony 3.4.12.

[fritzmg]

@m-vo another reason not to use roave/security-advisories directly in the composer.json https://twitter.com/fritz_mg/status/1012296407003344899 ;)

[m-vo]

Ouoh. Do you mind fixing that composer issue? :wink: