From fa530409582c863f994549fb9267c1fc8206de64 Mon Sep 17 00:00:00 2001 From: Val Bancer Date: Fri, 26 Jun 2026 13:39:56 +0200 Subject: [PATCH 1/2] Update AuthenticationComponent.php This ensures that remember_me cookie is cleared after the user that already has this cookie logs in without remember_me checked. --- src/Controller/Component/AuthenticationComponent.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Controller/Component/AuthenticationComponent.php b/src/Controller/Component/AuthenticationComponent.php index 25b7c5fb..40e5921f 100644 --- a/src/Controller/Component/AuthenticationComponent.php +++ b/src/Controller/Component/AuthenticationComponent.php @@ -280,7 +280,11 @@ public function setIdentity(ArrayAccess $identity) $controller = $this->getController(); $service = $this->getAuthenticationService(); - $service->clearIdentity($controller->getRequest(), $controller->getResponse()); + /** @psalm-var array{request: \Cake\Http\ServerRequest, response: \Cake\Http\Response} $result */ + $result = $service->clearIdentity($controller->getRequest(), $controller->getResponse()); + + $controller->setRequest($result['request']); + $controller->setResponse($result['response']); /** @psalm-var array{request: \Cake\Http\ServerRequest, response: \Cake\Http\Response} $result */ $result = $service->persistIdentity( From 5c0a13b130e8d44a3ef2e3ea007bbdf94bd744a9 Mon Sep 17 00:00:00 2001 From: bancer Date: Mon, 29 Jun 2026 10:28:23 +0200 Subject: [PATCH 2/2] Add unit tests --- .../Component/AuthenticationComponentTest.php | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/tests/TestCase/Controller/Component/AuthenticationComponentTest.php b/tests/TestCase/Controller/Component/AuthenticationComponentTest.php index 231ebf66..391b057a 100644 --- a/tests/TestCase/Controller/Component/AuthenticationComponentTest.php +++ b/tests/TestCase/Controller/Component/AuthenticationComponentTest.php @@ -258,6 +258,63 @@ public function testSetIdentityOverwrite() ); } + public function testSetIdentityWithCookieAuthDoNotRememberMe() + { + $service = new AuthenticationService([ + 'identifiers' => [ + 'Authentication.Password', + ], + 'authenticators' => [ + 'Authentication.Session', + 'Authentication.Form', + 'Authentication.Cookie', + ], + ]); + $request = $this->request->withAttribute('authentication', $service) + ->withData('remember_me', 0); + + $controller = new Controller($request, $this->response); + $registry = new ComponentRegistry($controller); + $component = new AuthenticationComponent($registry); + + $component->setIdentity($this->identityData); + $result = $component->getIdentity(); + $this->assertSame($this->identityData, $result->getOriginalData()); + $expectedCookieHeader = [ + 'CookieAuth=; expires=Thu, 01-Jan-1970 00:00:01 GMT+0000; path=/', + ]; + $actualCookieHeader = $controller->getResponse()->getHeader('Set-Cookie'); + $this->assertSame($expectedCookieHeader, $actualCookieHeader); + } + + public function testSetIdentityWithCookieAuthRememberMe() + { + $service = new AuthenticationService([ + 'identifiers' => [ + 'Authentication.Password', + ], + 'authenticators' => [ + 'Authentication.Session', + 'Authentication.Form', + 'Authentication.Cookie', + ], + ]); + $request = $this->request->withAttribute('authentication', $service) + ->withData('remember_me', 1); + + $controller = new Controller($request, $this->response); + $registry = new ComponentRegistry($controller); + $component = new AuthenticationComponent($registry); + + $component->setIdentity($this->identityData); + $result = $component->getIdentity(); + $this->assertSame($this->identityData, $result->getOriginalData()); + $actualCookieHeader = $controller->getResponse()->getHeader('Set-Cookie'); + $this->assertCount(2, $actualCookieHeader); + $this->assertStringContainsString('CookieAuth=', $actualCookieHeader[1]); + $this->assertStringNotContainsString('expires=Thu, 01-Jan-1970 00:00:01 GMT+0000;', $actualCookieHeader[1]); + } + /** * testGetIdentity *