search

nelmio / NelmioSecurityBundle

Adds extra security-related features in your Symfony application
https://symfony.com/bundles/NelmioSecurityBundle/
MIT License
651 stars 85 forks source link

Incompatible with Symfony's clearCookie() strategy #313

Open johnpez opened 2 years ago

johnpez commented 2 years ago

Symfony's default method of deleting cookies is calling $response->headers->clearCookie('cookie_name') which sets the cookie to have a value of null and an expiration in 1 second.

This breaks if the cookie is signed, on line 79 of SignedCookieListener.php, when the code attempts to sign the "null" value.

$this->signer->getSignedValue($cookie->getValue()) fails when $cookie->getValue() returns null.

I'm not entirely sure what the cleanest solution is. Either changing the above line to not try to sign them if the value is null (probably?). Or, maybe converting null values to a string?

For now, my workaround is to avoid clearCookie and to set the cookie to an expiration of 1 and a value of '', but this is messier than using the built-in Symfony method.

Seldaek commented 2 years ago

I think skipping the signing if we detect a null value sounds good, if you want to send a PR