Skip to content

Document Security Events #4373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
weaverryan opened this issue Oct 25, 2014 · 7 comments
Closed

Document Security Events #4373

weaverryan opened this issue Oct 25, 2014 · 7 comments
Labels
actionable Clear and specific issues ready for anyone to take them. hasPR A Pull Request has already been submitted for this issue. Security

Comments

@weaverryan
Copy link
Member

See the SecurityEvents class for these 2:

  • security.interactive_login
  • security.switch_user

And AuthenticationEvents for these 2:

  • security.authentication.success
  • security.authentication.failure

We should at least have a mention of them somewhere and when you would use them. This relates partially to #802. I've also never been clear on security.interactive_login, it's name and PHPDoc suggests that there are other, non-interactive ways to login, and so that a listener to this would not cover all login cases. I'm not sure what that includes/doesn't include.
@weaverryan weaverryan added Missing Documentation actionable Clear and specific issues ready for anyone to take them. Security labels Oct 25, 2014
@weaverryan weaverryan mentioned this issue Oct 25, 2014
Closed
@wouterj
Copy link
Member

wouterj commented Oct 25, 2014

It was introduced in fabpot/symfony#520 without any further comments. @schmittjoh can you maybe help us with this?

@stof
Copy link
Member

stof commented Nov 7, 2014

@weaverryan when doing the authentication in the firewall, there is several ways it can be non-interactive:

  • authenticating based on a remember me cookie
  • authenticating based on the session (generally because you use an interactive login or a remember me cookie for a previous request)
  • authenticating using a HTTP basic or HTTP digest header (which is sent alongside the request)

@stof
Copy link
Member

stof commented Nov 7, 2014

and if you want to have a listener triggered for all authentication cases, it should listen to an authentication event: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/AuthenticationEvents.php

@weaverryan
Copy link
Member Author

@stof Ah, I didn't even know about the AuthenticationEvents, awesome!

We have security.interactive_login that is trigged under most things that we thinking of as "logging in". And then we have the AuthenticationEvents, which are always triggered (even if it's really just that the user is browsing to a page and is being authenticated via a normal session cookie).

It seems to me that you'll want security.interactive_login if you want to do something after the user has physically logged in (e.g. set a lastLoggedInAt field on a User table). You would want to listen to security.authentication.success if... I'm not sure. Does anyone have a use-case here? Setting a lastActiveAt field? That doesn't seem like a very understandable use-case.

Thanks!

@stof
Copy link
Member

stof commented Nov 7, 2014

For security.authentication.failure, good use cases are logging failed attempts (for instance to prevent retrying after too many failures.

For security.authentication.success, a use case could be user-based rate-limiting when implementing an API for instance (not sure it is the best place to implement though as this is just an idea I found at this time, without exploring to determine the better way to do it. There might be better ways). but the initial feature request was for the failure event. the success one was mainly added for consistency

@arnaugm
Copy link

arnaugm commented Mar 10, 2015

What would be the best event to listen to in the case I want to show a message every time a user logs in (including remember me option enabled) and this user has some specific characteristics?

I understand that security.interactive_login is not enough.
If I use security.authentication.success, what happens when the user is authenticated but not authorized?

@arnaugm
Copy link

arnaugm commented Mar 10, 2015

I just realized that security.authentication.success is triggered in every request, not only after the login. Now I understand better the reason of security.interactive_login.

I checked that the remember me cookie triggers security.interactive_login as well, which means that this feature is considered interactive.

@kevintweber kevintweber mentioned this issue May 23, 2015
Merged
@xabbuh xabbuh added the hasPR A Pull Request has already been submitted for this issue. label May 23, 2015
@wouterj wouterj mentioned this issue Aug 16, 2015
Closed
weaverryan added a commit that referenced this issue Jan 10, 2016
@weaverryan
feature #5303 [WIP] 4373 - document security events (kevintweber)
b22637c 
This PR was merged into the 2.3 branch.

Discussion
----------

[WIP] 4373 - document security events

This is documentation for #4373.  This pull request has two parts:
* The component/security/authentication additions
* The new cookbook security cookbook page.

The new cookbook page is designed to give an example of how to use authentication events in an application.  I have given example code for two of the four classes needed to throttle failed login attempts.  The other two classes are a doctrine entity, and a class containing throttle domain logic, both of which are outside the scope of this documentation.

I would welcome any comments and suggestions.  Thank you.

Commits
-------

0dbabfe Security - Cookbook - removed bad example.
69c0089 Merge branch '4373_Document_Security_Events' of github.com:kevintweber/symfony-docs into 4373_Document_Security_Events
a14bd07 Security - Authentication - removed inaccurate tip.
f15bea4 Added new cookbook page to security index.
5bdfd71 Better formatting for authentication tip.
9b2e9d8 Better section titles for security events on authentication page.
286f00c Added security event descriptions to security component authentication page.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionable Clear and specific issues ready for anyone to take them. hasPR A Pull Request has already been submitted for this issue. Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@weaverryan @stof @wouterj @arnaugm @xabbuh