Merge branch '2.8' into 3.4

* 2.8:
  Avoiding authentication on every request with Guard
  [Filesystem] Improved the code of an example
  Removed another usage of mt_rand()
  Transition from mt_rand to random_int
  remove not existent label_attr options from buttons

Author: weaverryan

components/filesystem.rst

@@ -29,7 +29,7 @@ endpoint for filesystem operations::
     $fileSystem = new Filesystem();
 
     try {
-        $fileSystem->mkdir('/tmp/random/dir/'.mt_rand());
+        $fileSystem->mkdir(sys_get_temp_dir().'/'.random_int(0, 1000));
     } catch (IOExceptionInterface $exception) {
         echo "An error occurred while creating your directory at ".$exception->getPath();
     }

controller.rst

@@ -26,7 +26,7 @@ This renders a page that prints a lucky (random) number::
          */
         public function numberAction()
         {
-            $number = mt_rand(0, 100);
+            $number = random_int(0, 100);
 
             return new Response(
                 '<html><body>Lucky number: '.$number.'</body></html>'
@@ -68,7 +68,7 @@ class::
          */
         public function numberAction($max)
         {
-            $number = mt_rand(0, $max);
+            $number = random_int(0, $max);
 
             return new Response(
                 '<html><body>Lucky number: '.$number.'</body></html>'

page_creation.rst

@@ -58,7 +58,7 @@ random) number and prints it. To do that, create a "Controller class" and a
          */
         public function numberAction()
         {
-            $number = mt_rand(0, 100);
+            $number = random_int(0, 100);
 
             return new Response(
                 '<html><body>Lucky number: '.$number.'</body></html>'
@@ -128,7 +128,7 @@ variable so we can render that::
          */
         public function numberAction()
         {
-            $number = mt_rand(0, 100);
+            $number = random_int(0, 100);
 
             return $this->render('lucky/number.html.twig', array(
                 'number' => $number,

reference/forms/types/reset.rst

@@ -12,7 +12,6 @@ A button that resets all fields to their original values.
 | Inherited            | - `attr`_                                                           |
 | options              | - `disabled`_                                                       |
 |                      | - `label`_                                                          |
-|                      | - `label_attr`_                                                     |
 |                      | - `translation_domain`_                                             |
 +----------------------+---------------------------------------------------------------------+
 | Parent type          | :doc:`ButtonType </reference/forms/types/button>`                   |
@@ -43,6 +42,4 @@ as a key. This can be useful when you need to set a custom class for the button:
 
 .. include:: /reference/forms/types/options/button_label.rst.inc
 
-.. include:: /reference/forms/types/options/label_attr.rst.inc
-
 .. include:: /reference/forms/types/options/button_translation_domain.rst.inc

reference/forms/types/submit.rst

@@ -12,7 +12,6 @@ A submit button.
 | Inherited            | - `attr`_                                                            |
 | options              | - `disabled`_                                                        |
 |                      | - `label`_                                                           |
-|                      | - `label_attr`_                                                      |
 |                      | - `label_format`_                                                    |
 |                      | - `translation_domain`_                                              |
 |                      | - `validation_groups`_                                               |
@@ -54,8 +53,6 @@ as a key. This can be useful when you need to set a custom class for the button:
 
 .. include:: /reference/forms/types/options/button_label.rst.inc
 
-.. include:: /reference/forms/types/options/label_attr.rst.inc
-
 .. include:: /reference/forms/types/options/label_format.rst.inc
 
 .. include:: /reference/forms/types/options/button_translation_domain.rst.inc

security/guard_authentication.rst

@@ -536,6 +536,103 @@ and add the following logic::
         // ...
     }
 
+Avoid Authenticating the Browser on Every Request
+-------------------------------------------------
+
+If you create a Guard login system that's used by a browser and you're experiencing
+problems with your session or CSRF tokens, the cause could be bad behavior by your
+authenticator. When a Guard authenticator is meant to be used by a browser, you
+should *not* authenticate the user on *every* request. In other words, you need to
+make sure the ``getCredentials()`` method *only* returns a non-null value when
+you actually *need* to authenticate the user. Why? Because, when ``getCredentials()``
+returns a non-null value, for security purposes, the user's session is "migrated"
+to a new session id.
+
+This is an edge-case, and unless you're having session or CSRF token issues, you
+can ignore this. Here is an example of good and bad behavior::
+
+    public function getCredentials(Request $request)
+    {
+        // GOOD behavior: only authenticate on a specific route
+        if ($request->attributes->get('_route') !== 'login_route' || !$request->isMethod('POST')) {
+            return null;
+        }
+
+        // e.g. your login system authenticates by the user's IP address
+        // BAD behavior: authentication will now execute on every request
+        // even if the user is already authenticated (due to the session)
+        return array('ip' => $request->getClientIp());
+    }
+
+The problem occurs when your browser-based authenticator tries to authenticate
+the user on *every* request - like in the IP address-based example above. There
+are two possible fixes:
+
+1) If you do *not* need authentication to be stored in the session, set ``stateless: true``
+under your firewall.
+
+2) Update your authenticator to avoid authentication if the user is already authenticated:
+
+.. code-block:: diff
+
+    // src/Security/MyIpAuthenticator.php
+    // ...
+
+    + use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+
+    class MyIpAuthenticator
+    {
+    +     private $tokenStorage;
+
+    +     public function __construct(TokenStorageInterface $tokenStorage)
+    +     {
+    +         $this->tokenStorage = $tokenStorage;
+    +     }
+
+        public function getCredentials(Request $request)
+        {
+    +         // if there is already an authenticated user (likely due to the session)
+    +         // then return null and skip authentication: there is no need.
+    +         $user = $this->tokenStorage->getToken() ? $this->tokenStorage->getToken()->getUser() : null;
+    +         if (is_object($user)) {
+    +             return null;
+    +         }
+
+            return array('ip' => $request->getClientIp());
+        }
+    }
+
+You'll also need to update your service configuration to pass the token storage:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # app/config/services.yml
+        services:
+            app.token_authenticator:
+                class: AppBundle\Security\TokenAuthenticator
+                arguments: ['@security.token_storage']
+
+    .. code-block:: xml
+
+        <!-- app/config/services.xml -->
+        <services>
+            <service id="app.token_authenticator" class="AppBundle\Security\TokenAuthenticator">
+                <argument type="service" id="security.token_storage" />
+            </service>
+        </services>
+
+    .. code-block:: php
+
+        // app/config/services.php
+        use AppBundle\Security\TokenAuthenticator;
+        use Symfony\Component\DependencyInjection\Definition;
+        use Symfony\Component\DependencyInjection\Reference;
+
+        $container->register('app.token_authenticator', TokenAuthenticator::class)
+            ->addArgument(new Reference('security.token_storage'));
+
 Frequently Asked Questions
 --------------------------