From: Ryan Weaver <ryan@thatsquality.com>
Date: Thu, 1 Feb 2018 08:53:47 -0500
Subject: Adding session authentication strategy to Guard to avoid session
 fixation

[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication

Origin: backport, https://github.com/symfony/symfony/commit/f2e83ba44df88adea3268ab81380417cb7366538
---
 .../Component/Security/Guard/GuardAuthenticatorHandler.php  | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php b/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
index 5e1351d..c2ba349 100644
--- a/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
+++ b/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
@@ -50,6 +50,7 @@ class GuardAuthenticatorHandler
      */
     public function authenticateWithToken(TokenInterface $token, Request $request)
     {
+        $this->migrateSession($request);
         $this->tokenStorage->setToken($token);
 
         if (null !== $this->dispatcher) {
@@ -136,4 +137,16 @@ class GuardAuthenticatorHandler
             is_object($response) ? get_class($response) : gettype($response)
         ));
     }
+
+    private function migrateSession(Request $request)
+    {
+        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+            return;
+        }
+
+        // Destroying the old session is broken in php 5.4.0 - 5.4.10
+        // See https://bugs.php.net/63379
+        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
+        $request->getSession()->migrate($destroy);
+    }
 }