Affected versions
Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue.
The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fixed before its final release.
Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.
Description
By default, a user’s session is invalidated when the user is logged out. This
behavior can be disabled through the invalidate_session option. In this
case, CSRF tokens where not erased during logout which allowed for
CSRF token fixation.
Resolution
We fixed this issue by clearing all CSRF tokens when the user is logged out.
Credits
I would like to thank Kévin Liagre for reporting this security issue, Christian Flothmann for working on a fix, and the Symfony Core Team for reviewing the patch.