[Security] Do not try to clear CSRF on stateless request

Seb33300 · Aug 25, 2024 · 00da582 · 00da582
1 parent 93e8814
commit 00da582
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php b/src/Symfony/Component/Security/Http/EventListener/CsrfTokenClearingLogoutListener.php
@@ -32,7 +32,12 @@ public function __construct(ClearableTokenStorageInterface $csrfTokenStorage)
 
     public function onLogout(LogoutEvent $event): void
     {
-        if ($this->csrfTokenStorage instanceof SessionTokenStorage && !$event->getRequest()->hasPreviousSession()) {
+        $request = $event->getRequest();
+
+        if (
+            $this->csrfTokenStorage instanceof SessionTokenStorage
+            && ($request->attributes->getBoolean('_stateless') || !$request->hasPreviousSession())
+        ) {
             return;
         }