[Security] REMEMBERME cookie does not get deleted using the "logout_o…

…n_user_change" option

src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml

@@ -43,6 +43,7 @@
             <argument type="service" id="logger" on-invalid="null" />
             <argument type="service" id="event_dispatcher" on-invalid="null" />
             <argument type="service" id="security.authentication.trust_resolver" />
+            <argument type="service" id="security.authentication.rememberme" on-invalid="null" />
         </service>
 
         <service id="security.logout_listener" class="Symfony\Component\Security\Http\Firewall\LogoutListener" abstract="true">

src/Symfony/Component/Security/Http/Firewall/ContextListener.php

@@ -29,6 +29,7 @@
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
+use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
 
 /**
  * ContextListener manages the SecurityContext persistence through a session.
@@ -49,11 +50,13 @@ class ContextListener implements ListenerInterface
     private $dispatcher;
     private $registered;
     private $trustResolver;
+    private $logoutOnUserChange = false;
+    private $rememberMeServices;
 
     /**
      * @param iterable|UserProviderInterface[] $userProviders
      */
-    public function __construct(TokenStorageInterface $tokenStorage, iterable $userProviders, string $contextKey, LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, AuthenticationTrustResolverInterface $trustResolver = null)
+    public function __construct(TokenStorageInterface $tokenStorage, iterable $userProviders, string $contextKey, LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, AuthenticationTrustResolverInterface $trustResolver = null, RememberMeServicesInterface $rememberMeServices = null)
     {
         if (empty($contextKey)) {
             throw new \InvalidArgumentException('$contextKey must not be empty.');
@@ -65,6 +68,7 @@ public function __construct(TokenStorageInterface $tokenStorage, iterable $userP
         $this->logger = $logger;
         $this->dispatcher = $dispatcher;
         $this->trustResolver = $trustResolver ?: new AuthenticationTrustResolver(AnonymousToken::class, RememberMeToken::class);
+        $this->rememberMeServices = $rememberMeServices;
     }
 
     /**
@@ -109,6 +113,10 @@ public function __invoke(RequestEvent $event)
 
         if ($token instanceof TokenInterface) {
             $token = $this->refreshUser($token);
+
+            if (null === $token && null !== $this->rememberMeServices) {
+                $this->rememberMeServices->loginFail($request);
+            }
         } elseif (null !== $token) {
             if (null !== $this->logger) {
                 $this->logger->warning('Expected a security token from the session, got something else.', ['key' => $this->sessionKey, 'received' => $token]);

src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php

@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Tests\Firewall;
 
+use PHPUnit\Framework\Assert;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
@@ -25,6 +26,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
@@ -33,6 +35,7 @@
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
 use Symfony\Component\Security\Http\Firewall\ContextListener;
+use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
 
 class ContextListenerTest extends TestCase
 {
@@ -299,6 +302,26 @@ public function testRuntimeExceptionIsThrownIfNoSupportingUserProviderWasRegiste
         $this->handleEventWithPreviousSession(new TokenStorage(), [new NotSupportingUserProvider(), new NotSupportingUserProvider()]);
     }
 
+    public function testLogoutOnChangeEventAsBeenSent()
+    {
+        $tokenStorage = new TokenStorage();
+        $refreshedUser = new User('foobar', 'baz');
+
+        $user = new User('foo', 'bar');
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->set('_security_context_key', serialize(new UsernamePasswordToken($user, '', 'context_key', ['ROLE_USER'])));
+
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set('MOCKSESSID', true);
+        $listener = new ContextListener($tokenStorage, [new NotSupportingUserProvider(), new SupportingUserProvider($refreshedUser)], 'context_key', null, null, null, new testRememberMeServices($this));
+        $listener->setLogoutOnUserChange($refreshedUser);
+        $listener->handle(new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST));
+
+        $this->assertNull($tokenStorage->getToken());
+    }
+
     public function testAcceptsProvidersAsTraversable()
     {
         $tokenStorage = new TokenStorage();
@@ -396,6 +419,24 @@ public function supportsClass($class)
     }
 }
 
+class testRememberMeServices implements RememberMeServicesInterface
+{
+    public function autoLogin(Request $request)
+    {
+    }
+
+    public function loginFail(Request $request, \Exception $exception = null)
+    {
+        Assert::assertTrue($request->cookies->get('MOCKSESSID'));
+
+        return null;
+    }
+
+    public function loginSuccess(Request $request, Response $response, TokenInterface $token)
+    {
+    }
+}
+
 class SupportingUserProvider implements UserProviderInterface
 {
     private $refreshedUser;