Advisories for Composer/Symfony/Security-Csrf package

The implementation of CSRF protection did not use different tokens for HTTP and HTTPS, therefore the token was subject to MITM attacks on HTTP and could then be used in HTTPS context to do CSRF attacks.

By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.