From 556365bc458711ad575a5fcd1cf7fab3923d8022 Mon Sep 17 00:00:00 2001 From: ryancastle Date: Wed, 28 May 2014 12:02:21 +0930 Subject: [PATCH 1/3] Removed redundant POST request exclusion info The default ``ExceptionListener::setTargetPath()`` already excludes POSTs/PUTs, so suggesting that people who implement their own listener to do this is a bit misleading. However, doing this to prevent XMLHttpRequest URIs from being saved is still valuable. --- cookbook/security/target_path.rst | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/cookbook/security/target_path.rst b/cookbook/security/target_path.rst index 53914102f33..1c101954bf5 100644 --- a/cookbook/security/target_path.rst +++ b/cookbook/security/target_path.rst @@ -10,9 +10,9 @@ the name of the firewall, defined in ``security.yml``). Upon a successful login, the user is redirected to this path, as to help them continue from the last known page they visited. -On some occasions, this is unexpected. For example when the last request -URI was an HTTP POST against a route which is configured to allow only a POST -method, the user is redirected to this route only to get a 404 error. +On some occasions, this is unexpected. For example when the last request before logout +was an XMLHttpRequest route, the user may be redirected back to an invalid +route. To get around this behavior, you would simply need to extend the ``ExceptionListener`` class and override the default method named ``setTargetPath()``. @@ -56,9 +56,10 @@ Next, create your own ``ExceptionListener``:: { protected function setTargetPath(Request $request) { - // Do not save target path for XHR and non-GET requests + // Do not save target path for XHR requests // You can add any more logic here you want - if ($request->isXmlHttpRequest() || 'GET' !== $request->getMethod()) { + // Note that non-GET requests are already ignored + if ($request->isXmlHttpRequest()) { return; } From c633f6b67310f9d2c06f3d2dda72848d558795b1 Mon Sep 17 00:00:00 2001 From: Ryan Castle Date: Mon, 18 Aug 2014 10:43:41 +0930 Subject: [PATCH 2/3] Improved clarity of explanation around overriding setTargetPath() --- cookbook/security/target_path.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cookbook/security/target_path.rst b/cookbook/security/target_path.rst index 1c101954bf5..e2055373990 100644 --- a/cookbook/security/target_path.rst +++ b/cookbook/security/target_path.rst @@ -10,9 +10,9 @@ the name of the firewall, defined in ``security.yml``). Upon a successful login, the user is redirected to this path, as to help them continue from the last known page they visited. -On some occasions, this is unexpected. For example when the last request before logout -was an XMLHttpRequest route, the user may be redirected back to an invalid -route. +In some situations, this is not ideal. For example when the last request +URI was an XMLHttpRequest which returned a non-HTML or partial HTML response, +the user is redirected back to a page which the browser cannot render. To get around this behavior, you would simply need to extend the ``ExceptionListener`` class and override the default method named ``setTargetPath()``. From 01fc656508cd5934f2aeeb2ba0c961dc700f5bf7 Mon Sep 17 00:00:00 2001 From: Ryan Castle Date: Mon, 18 Aug 2014 18:36:52 +0930 Subject: [PATCH 3/3] Added comma after "For example" --- cookbook/security/target_path.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbook/security/target_path.rst b/cookbook/security/target_path.rst index e2055373990..0bc2902f947 100644 --- a/cookbook/security/target_path.rst +++ b/cookbook/security/target_path.rst @@ -10,7 +10,7 @@ the name of the firewall, defined in ``security.yml``). Upon a successful login, the user is redirected to this path, as to help them continue from the last known page they visited. -In some situations, this is not ideal. For example when the last request +In some situations, this is not ideal. For example, when the last request URI was an XMLHttpRequest which returned a non-HTML or partial HTML response, the user is redirected back to a page which the browser cannot render.