Merge branch '6.1' into 6.2

* 6.1:
  [HttpFoundation] Fix bad return type in IpUtils::checkIp4()
  [DependencyInjection] Fix order of arguments when mixing positional and named ones
  [HttpClient] Fix collecting data non-late for the profiler
  [Security/Http] Fix compat of persistent remember-me with legacy tokens
  Bump Symfony version to 6.1.12
  Update VERSION for 6.1.11
  Update CHANGELOG for 6.1.11
  Bump Symfony version to 6.0.20
  Update VERSION for 6.0.19
  Update CHANGELOG for 6.0.19
  Bump Symfony version to 5.4.20
  Update VERSION for 5.4.19
  Update CONTRIBUTORS for 5.4.19
  Update CHANGELOG for 5.4.19
  [Security/Http] Remove CSRF tokens from storage on successful login
  [HttpKernel] Remove private headers before storing responses with HttpCache

Author: nicolas-grekas

Resources/config/security.php

@@ -106,7 +106,10 @@
         ->set('security.authentication.trust_resolver', AuthenticationTrustResolver::class)
 
         ->set('security.authentication.session_strategy', SessionAuthenticationStrategy::class)
-            ->args([param('security.authentication.session_strategy.strategy')])
+            ->args([
+                param('security.authentication.session_strategy.strategy'),
+                service('security.csrf.token_storage')->ignoreOnInvalid(),
+            ])
         ->alias(SessionAuthenticationStrategyInterface::class, 'security.authentication.session_strategy')
 
         ->set('security.authentication.session_strategy_noop', SessionAuthenticationStrategy::class)

Tests/Functional/CsrfFormLoginTest.php

@@ -11,6 +11,12 @@
 
 namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
+use Symfony\Bundle\FrameworkBundle\KernelBrowser;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
 class CsrfFormLoginTest extends AbstractWebTestCase
 {
     /**
@@ -20,6 +26,10 @@ public function testFormLoginAndLogoutWithCsrfTokens($options)
     {
         $client = $this->createClient($options);
 
+        $this->callInRequestContext($client, function () {
+            static::getContainer()->get('security.csrf.token_storage')->setToken('foo', 'bar');
+        });
+
         $form = $client->request('GET', '/login')->selectButton('login')->form();
         $form['user_login[username]'] = 'johannes';
         $form['user_login[password]'] = 'test';
@@ -40,6 +50,10 @@ public function testFormLoginAndLogoutWithCsrfTokens($options)
         $client->click($logoutLinks[0]);
 
         $this->assertRedirect($client->getResponse(), '/');
+
+        $this->callInRequestContext($client, function () {
+            $this->assertFalse(static::getContainer()->get('security.csrf.token_storage')->hasToken('foo'));
+        });
     }
 
     /**
@@ -49,6 +63,10 @@ public function testFormLoginWithInvalidCsrfToken($options)
     {
         $client = $this->createClient($options);
 
+        $this->callInRequestContext($client, function () {
+            static::getContainer()->get('security.csrf.token_storage')->setToken('foo', 'bar');
+        });
+
         $form = $client->request('GET', '/login')->selectButton('login')->form();
         $form['user_login[_token]'] = '';
         $client->submit($form);
@@ -57,6 +75,10 @@ public function testFormLoginWithInvalidCsrfToken($options)
 
         $text = $client->followRedirect()->text(null, true);
         $this->assertStringContainsString('Invalid CSRF token.', $text);
+
+        $this->callInRequestContext($client, function () {
+            $this->assertTrue(static::getContainer()->get('security.csrf.token_storage')->hasToken('foo'));
+        });
     }
 
     /**
@@ -105,4 +127,22 @@ public function provideClientOptions()
         yield [['test_case' => 'CsrfFormLogin', 'root_config' => 'config.yml']];
         yield [['test_case' => 'CsrfFormLogin', 'root_config' => 'routes_as_path.yml']];
     }
+
+    private function callInRequestContext(KernelBrowser $client, callable $callable): void
+    {
+        /** @var EventDispatcherInterface $eventDispatcher */
+        $eventDispatcher = static::getContainer()->get(EventDispatcherInterface::class);
+        $wrappedCallable = function (RequestEvent $event) use (&$callable) {
+            $callable();
+            $event->setResponse(new Response(''));
+            $event->stopPropagation();
+        };
+
+        $eventDispatcher->addListener(KernelEvents::REQUEST, $wrappedCallable);
+        try {
+            $client->request('GET', '/'.uniqid('', true));
+        } finally {
+            $eventDispatcher->removeListener(KernelEvents::REQUEST, $wrappedCallable);
+        }
+    }
 }

Tests/Functional/LogoutTest.php

@@ -24,18 +24,14 @@ public function testCsrfTokensAreClearedOnLogout()
     {
         $client = $this->createClient(['test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']);
         $client->disableReboot();
-        $this->callInRequestContext($client, function () {
-            static::getContainer()->get('security.csrf.token_storage')->setToken('foo', 'bar');
-        });
 
         $client->request('POST', '/login', [
             '_username' => 'johannes',
             '_password' => 'test',
         ]);
 
         $this->callInRequestContext($client, function () {
-            $this->assertTrue(static::getContainer()->get('security.csrf.token_storage')->hasToken('foo'));
-            $this->assertSame('bar', static::getContainer()->get('security.csrf.token_storage')->getToken('foo'));
+            static::getContainer()->get('security.csrf.token_storage')->setToken('foo', 'bar');
         });
 
         $client->request('GET', '/logout');

composer.json

@@ -27,7 +27,7 @@
         "symfony/password-hasher": "^5.4|^6.0",
         "symfony/security-core": "^6.2",
         "symfony/security-csrf": "^5.4|^6.0",
-        "symfony/security-http": "^6.2"
+        "symfony/security-http": "^6.2.6"
     },
     "require-dev": {
         "doctrine/annotations": "^1.10.4|^2",