-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FormProtectionComponent with Authentication plugin active #17585
Comments
This is kind of expected, you're setting the identity which could be privilege escalation which should require a form protection tokens to be rotated. This is important as it prevents form reuse after logout or login. |
Tried to wrap it by overriding
but found that hidden input value is generated by Had to override also
|
Description
When
FormProtectionComponent
is enabled withAuthentication
plugin active,calling
AuthenticationComponent::setIdentity()
in parallel requests (ajax, generated image or another tab) causes call ofSessionAuthenticator::clearIdentity()
and thenSession::renew()
.Result is that session id is changed, and main form submit will be failed with
BadRequestException
.Not sure if its bug, but at least it will be doccumented here.
In my case I have to override
FormProtectionComponent::_getSessionId()
to resolve it.CakePHP Version
5.0.4
PHP Version
8.1
The text was updated successfully, but these errors were encountered: