[HttpKernel] Fix session handling: decouple "save" from setting response "private"

nicolas-grekas · nicolas-grekas · commit 29e4128ad115 · 2018-01-06T10:01:20.000+01:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml b/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
@@ -67,6 +67,7 @@
                     <tag name="container.service_locator" />
                     <argument type="collection">
                         <argument key="session" type="service" id="session" on-invalid="ignore" />
+                        <argument key="initialized_session" type="service" id="session" on-invalid="ignore_uninitialized" />
                     </argument>
                 </service>
             </argument>
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -824,7 +824,12 @@ public function get($key, $default = null)
      */
     public function getSession()
     {
-        return $this->session;
+        $session = $this->session;
+        if (!$session instanceof SessionInterface && null !== $session) {
+            $this->setSession($session = $session());
+        }
+
+        return $session;
     }
 
     /**
@@ -836,7 +841,7 @@ public function getSession()
     public function hasPreviousSession()
     {
         // the check for $this->session avoids malicious users trying to fake a session cookie with proper name
-        return $this->hasSession() && $this->cookies->has($this->session->getName());
+        return $this->hasSession() && $this->cookies->has($this->getSession()->getName());
     }
 
     /**
@@ -863,6 +868,14 @@ public function setSession(SessionInterface $session)
         $this->session = $session;
     }
 
+    /**
+     * @internal
+     */
+    public function setSessionFactory(callable $factory)
+    {
+        $this->session = $factory;
+    }
+
     /**
      * Returns the client IP addresses.
      *
diff --git a/src/Symfony/Component/HttpFoundation/Session/Session.php b/src/Symfony/Component/HttpFoundation/Session/Session.php
@@ -29,6 +29,7 @@ class Session implements SessionInterface, \IteratorAggregate, \Countable
     private $flashName;
     private $attributeName;
     private $data = array();
+    private $hasStarted = false;
 
     /**
      * @param SessionStorageInterface $storage    A SessionStorageInterface instance
@@ -53,6 +54,8 @@ public function __construct(SessionStorageInterface $storage = null, AttributeBa
      */
     public function start()
     {
+        $this->hasStarted = true;
+
         return $this->storage->start();
     }
 
@@ -140,6 +143,16 @@ public function count()
         return count($this->getAttributeBag()->all());
     }
 
+    /**
+     * @return bool
+     *
+     * @internal
+     */
+    public function hasStarted()
+    {
+        return $this->hasStarted;
+    }
+
     /**
      * @return bool
      *
@@ -235,6 +248,8 @@ public function registerBag(SessionBagInterface $bag)
      */
     public function getBag($name)
     {
+        $this->hasStarted = true;
+
         return $this->storage->getBag($name)->getBag();
     }
 
@@ -257,6 +272,6 @@ public function getFlashBag()
      */
     private function getAttributeBag()
     {
-        return $this->storage->getBag($this->attributeName)->getBag();
+        return $this->getBag($this->attributeName);
     }
 }
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\HttpKernel\EventListener;
 
+use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
@@ -30,12 +31,9 @@ public function onKernelRequest(GetResponseEvent $event)
         }
 
         $request = $event->getRequest();
-        $session = $this->getSession();
-        if (null === $session || $request->hasSession()) {
-            return;
+        if (!$request->hasSession()) {
+            $request->setSessionFactory(function () { return $this->getSession(); });
         }
-
-        $request->setSession($session);
     }
 
     public static function getSubscribedEvents()
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php
@@ -61,10 +61,10 @@ public function onKernelResponse(FilterResponseEvent $event)
         $session = $event->getRequest()->getSession();
         if ($session && $session->isStarted()) {
             $session->save();
-            if (!$session instanceof Session || !\method_exists($session, 'isEmpty') || !$session->isEmpty()) {
-                $params = session_get_cookie_params();
-                $event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));
-            }
+        }
+        if ($session && ($session instanceof Session ? $session->hasStarted() && !$session->isEmpty() : $sessions->isStarted())) {
+            $params = session_get_cookie_params();
+            $event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));
         }
     }
 
diff --git a/src/Symfony/Component/HttpKernel/EventListener/SaveSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/SaveSessionListener.php
@@ -53,10 +53,6 @@ public function onKernelResponse(FilterResponseEvent $event)
         $session = $event->getRequest()->getSession();
         if ($session && $session->isStarted()) {
             $session->save();
-            $event->getResponse()
-                ->setPrivate()
-                ->setMaxAge(0)
-                ->headers->addCacheControlDirective('must-revalidate');
         }
     }
 
diff --git a/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
@@ -12,6 +12,8 @@
 namespace Symfony\Component\HttpKernel\EventListener;
 
 use Psr\Container\ContainerInterface;
+use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
 
 /**
  * Sets the session in the request.
@@ -29,6 +31,24 @@ public function __construct(ContainerInterface $container)
         $this->container = $container;
     }
 
+    public function onKernelResponse(FilterResponseEvent $event)
+    {
+        if (!$event->isMasterRequest()) {
+            return;
+        }
+
+        if (!$session = $this->container->has('initialized_session') ? $this->container->get('initialized_session') : null) {
+            return;
+        }
+
+        if ($session->hasStarted()) {
+            $event->getResponse()
+                ->setPrivate()
+                ->setMaxAge(0)
+                ->headers->addCacheControlDirective('must-revalidate');
+        }
+    }
+
     protected function getSession()
     {
         if (!$this->container->has('session')) {
@@ -37,4 +57,12 @@ protected function getSession()
 
         return $this->container->get('session');
     }
+
+    public static function getSubscribedEvents()
+    {
+        return parent::getSubscribedEvents() + array(
+            // low priority to come after regular response listeners
+            KernelEvents::RESPONSE => array(array('onKernelResponse', -1000)),
+        );
+    }
 }
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/SaveSessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/SaveSessionListenerTest.php
@@ -45,9 +45,5 @@ public function testSessionSavedAndResponsePrivate()
         $request->setSession($session);
         $response = new Response();
         $listener->onKernelResponse(new FilterResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, $response));
-
-        $this->assertTrue($response->headers->hasCacheControlDirective('private'));
-        $this->assertTrue($response->headers->hasCacheControlDirective('must-revalidate'));
-        $this->assertSame('0', $response->headers->getCacheControlDirective('max-age'));
     }
 }
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
@@ -0,0 +1,85 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpKernel\Tests\EventListener;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\DependencyInjection\Container;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
+use Symfony\Component\HttpKernel\EventListener\AbstractSessionListener;
+use Symfony\Component\HttpKernel\EventListener\SessionListener;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+
+class SessionListenerTest extends TestCase
+{
+    public function testOnlyTriggeredOnMasterRequest()
+    {
+        $listener = $this->getMockForAbstractClass(AbstractSessionListener::class);
+        $event = $this->getMockBuilder(GetResponseEvent::class)->disableOriginalConstructor()->getMock();
+        $event->expects($this->once())->method('isMasterRequest')->willReturn(false);
+        $event->expects($this->never())->method('getRequest');
+
+        // sub request
+        $listener->onKernelRequest($event);
+    }
+
+    public function testSessionIsSet()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+
+        $container = new Container();
+        $container->set('session', $session);
+
+        $request = new Request();
+        $listener = new SessionListener($container);
+
+        $event = $this->getMockBuilder(GetResponseEvent::class)->disableOriginalConstructor()->getMock();
+        $event->expects($this->once())->method('isMasterRequest')->willReturn(true);
+        $event->expects($this->once())->method('getRequest')->willReturn($request);
+
+        $listener->onKernelRequest($event);
+
+        $this->assertTrue($request->hasSession());
+        $this->assertSame($session, $request->getSession());
+    }
+
+    public function testResponseIsPrivate()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->expects($this->once())->method('hasStarted')->willReturn(true);
+
+        $container = new Container();
+        $container->set('initialized_session', $session);
+
+        $listener = new SessionListener($container);
+        $kernel = $this->getMockBuilder(HttpKernelInterface::class)->disableOriginalConstructor()->getMock();
+
+        $response = new Response();
+        $listener->onKernelResponse(new FilterResponseEvent($kernel, new Request(), HttpKernelInterface::MASTER_REQUEST, $response));
+
+        $this->assertTrue($response->headers->hasCacheControlDirective('private'));
+        $this->assertTrue($response->headers->hasCacheControlDirective('must-revalidate'));
+        $this->assertSame('0', $response->headers->getCacheControlDirective('max-age'));
+    }
+
+    public function testUninitilizedSession()
+    {
+        $event = $this->getMockBuilder(FilterResponseEvent::class)->disableOriginalConstructor()->getMock();
+        $event->expects($this->once())->method('isMasterRequest')->willReturn(true);
+
+        $listener = new SessionListener(new Container());
+        $listener->onKernelResponse($event);
+    }
+}
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/TestSessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/TestSessionListenerTest.php
@@ -131,6 +131,9 @@ private function sessionMustBeSaved()
 
     private function sessionHasBeenStarted()
     {
+        $this->session->expects($this->any())
+            ->method('hasStarted')
+            ->will($this->returnValue(true));
         $this->session->expects($this->once())
             ->method('isStarted')
             ->will($this->returnValue(true));
diff --git a/src/Symfony/Component/HttpKernel/composer.json b/src/Symfony/Component/HttpKernel/composer.json
@@ -18,7 +18,7 @@
     "require": {
         "php": "^5.5.9|>=7.0.8",
         "symfony/event-dispatcher": "~2.8|~3.0|~4.0",
-        "symfony/http-foundation": "^3.3.11|~4.0",
+        "symfony/http-foundation": "^3.4.4|^4.0.4",
         "symfony/debug": "~2.8|~3.0|~4.0",
         "psr/log": "~1.0"
     },

Original file line number	Diff line number	Diff line change
`@@ -824,7 +824,12 @@ public function get($key, $default = null)`
`824`	`824`	`*/`
`825`	`825`	`public function getSession()`
`826`	`826`	`{`
`827`		`- return $this->session;`
	`827`	`+ $session = $this->session;`
	`828`	`+ if (!$session instanceof SessionInterface && null !== $session) {`
	`829`	`+ $this->setSession($session = $session());`
	`830`	`+ }`
	`831`	`+`
	`832`	`+ return $session;`
`828`	`833`	`}`
`829`	`834`
`830`	`835`	`/**`
`@@ -836,7 +841,7 @@ public function getSession()`
`836`	`841`	`public function hasPreviousSession()`
`837`	`842`	`{`
`838`	`843`	`// the check for $this->session avoids malicious users trying to fake a session cookie with proper name`
`839`		`- return $this->hasSession() && $this->cookies->has($this->session->getName());`
	`844`	`+ return $this->hasSession() && $this->cookies->has($this->getSession()->getName());`
`840`	`845`	`}`
`841`	`846`
`842`	`847`	`/**`
`@@ -863,6 +868,14 @@ public function setSession(SessionInterface $session)`
`863`	`868`	`$this->session = $session;`
`864`	`869`	`}`
`865`	`870`
	`871`	`+ /**`
	`872`	`+ * @internal`
	`873`	`+ */`
	`874`	`+ public function setSessionFactory(callable $factory)`
	`875`	`+ {`
	`876`	`+ $this->session = $factory;`
	`877`	`+ }`
	`878`	`+`
`866`	`879`	`/**`
`867`	`880`	`* Returns the client IP addresses.`
`868`	`881`	`*`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ class Session implements SessionInterface, \IteratorAggregate, \Countable`
`29`	`29`	`private $flashName;`
`30`	`30`	`private $attributeName;`
`31`	`31`	`private $data = array();`
	`32`	`+ private $hasStarted = false;`
`32`	`33`
`33`	`34`	`/**`
`34`	`35`	`* @param SessionStorageInterface $storage A SessionStorageInterface instance`
`@@ -53,6 +54,8 @@ public function __construct(SessionStorageInterface $storage = null, AttributeBa`
`53`	`54`	`*/`
`54`	`55`	`public function start()`
`55`	`56`	`{`
	`57`	`+ $this->hasStarted = true;`
	`58`	`+`
`56`	`59`	`return $this->storage->start();`
`57`	`60`	`}`
`58`	`61`
`@@ -140,6 +143,16 @@ public function count()`
`140`	`143`	`return count($this->getAttributeBag()->all());`
`141`	`144`	`}`
`142`	`145`
	`146`	`+ /**`
	`147`	`+ * @return bool`
	`148`	`+ *`
	`149`	`+ * @internal`
	`150`	`+ */`
	`151`	`+ public function hasStarted()`
	`152`	`+ {`
	`153`	`+ return $this->hasStarted;`
	`154`	`+ }`
	`155`	`+`
`143`	`156`	`/**`
`144`	`157`	`* @return bool`
`145`	`158`	`*`
`@@ -235,6 +248,8 @@ public function registerBag(SessionBagInterface $bag)`
`235`	`248`	`*/`
`236`	`249`	`public function getBag($name)`
`237`	`250`	`{`
	`251`	`+ $this->hasStarted = true;`
	`252`	`+`
`238`	`253`	`return $this->storage->getBag($name)->getBag();`
`239`	`254`	`}`
`240`	`255`
`@@ -257,6 +272,6 @@ public function getFlashBag()`
`257`	`272`	`*/`
`258`	`273`	`private function getAttributeBag()`
`259`	`274`	`{`
`260`		`- return $this->storage->getBag($this->attributeName)->getBag();`
	`275`	`+ return $this->getBag($this->attributeName);`
`261`	`276`	`}`
`262`	`277`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\HttpKernel\EventListener;`
`13`	`13`
	`14`	`+use Symfony\Component\HttpFoundation\Session\Session;`
`14`	`15`	`use Symfony\Component\HttpFoundation\Session\SessionInterface;`
`15`	`16`	`use Symfony\Component\HttpKernel\Event\GetResponseEvent;`
`16`	`17`	`use Symfony\Component\HttpKernel\KernelEvents;`
`@@ -30,12 +31,9 @@ public function onKernelRequest(GetResponseEvent $event)`
`30`	`31`	`}`
`31`	`32`
`32`	`33`	`$request = $event->getRequest();`
`33`		`- $session = $this->getSession();`
`34`		`- if (null === $session \|\| $request->hasSession()) {`
`35`		`- return;`
	`34`	`+ if (!$request->hasSession()) {`
	`35`	`+ $request->setSessionFactory(function () { return $this->getSession(); });`
`36`	`36`	`}`
`37`		`-`
`38`		`- $request->setSession($session);`
`39`	`37`	`}`
`40`	`38`
`41`	`39`	`public static function getSubscribedEvents()`
Original file line number	Diff line number	Diff line change
`@@ -61,10 +61,10 @@ public function onKernelResponse(FilterResponseEvent $event)`
`61`	`61`	`$session = $event->getRequest()->getSession();`
`62`	`62`	`if ($session && $session->isStarted()) {`
`63`	`63`	`$session->save();`
`64`		`- if (!$session instanceof Session \|\| !\method_exists($session, 'isEmpty') \|\| !$session->isEmpty()) {`
`65`		`- $params = session_get_cookie_params();`
`66`		`- $event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));`
`67`		`- }`
	`64`	`+ }`
	`65`	`+ if ($session && ($session instanceof Session ? $session->hasStarted() && !$session->isEmpty() : $sessions->isStarted())) {`
	`66`	`+ $params = session_get_cookie_params();`
	`67`	`+ $event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`
Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,6 @@ public function onKernelResponse(FilterResponseEvent $event)`
`53`	`53`	`$session = $event->getRequest()->getSession();`
`54`	`54`	`if ($session && $session->isStarted()) {`
`55`	`55`	`$session->save();`
`56`		`- $event->getResponse()`
`57`		`- ->setPrivate()`
`58`		`- ->setMaxAge(0)`
`59`		`- ->headers->addCacheControlDirective('must-revalidate');`
`60`	`56`	`}`
`61`	`57`	`}`
`62`	`58`
Original file line number	Diff line number	Diff line change
`@@ -45,9 +45,5 @@ public function testSessionSavedAndResponsePrivate()`
`45`	`45`	`$request->setSession($session);`
`46`	`46`	`$response = new Response();`
`47`	`47`	`$listener->onKernelResponse(new FilterResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, $response));`
`48`		`-`
`49`		`- $this->assertTrue($response->headers->hasCacheControlDirective('private'));`
`50`		`- $this->assertTrue($response->headers->hasCacheControlDirective('must-revalidate'));`
`51`		`- $this->assertSame('0', $response->headers->getCacheControlDirective('max-age'));`
`52`	`48`	`}`
`53`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,9 @@ private function sessionMustBeSaved()`
`131`	`131`
`132`	`132`	`private function sessionHasBeenStarted()`
`133`	`133`	`{`
	`134`	`+ $this->session->expects($this->any())`
	`135`	`+ ->method('hasStarted')`
	`136`	`+ ->will($this->returnValue(true));`
`134`	`137`	`$this->session->expects($this->once())`
`135`	`138`	`->method('isStarted')`
`136`	`139`	`->will($this->returnValue(true));`