Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue.
The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fixed before its final release.
Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.
By default, a user’s session is invalidated when the user is logged out. This
behavior can be disabled through the
invalidate_session option. In this
case, CSRF tokens where not erased during logout which allowed for
CSRF token fixation.
We fixed this issue by clearing all CSRF tokens when the user is logged out.
I would like to thank Kévin Liagre for reporting this security issue, Christian Flothmann for working on a fix, and the Symfony Core Team for reviewing the patch.Be trained by Symfony experts - 2018-05-30 Paris - 2018-06-4 Clichy - 2018-06-4 Clichy