Do not pass the value to the NativeSessionStorage constructor if its value is auto. In addition, resolve this auto value immediately when the SessionListener event is called.

tamcy · tamcy · commit 519eb1c30cdb · 2021-02-19T12:13:03.000+08:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -935,15 +935,19 @@ private function registerSessionConfiguration(array $config, ContainerBuilder $c
             }
         }
 
+        $nativeStorageDefaultOptions = $options;
+
         if ('auto' === ($options['cookie_secure'] ?? null)) {
             $locator = $container->getDefinition('session_listener')->getArgument(0);
             $locator->setValues($locator->getValues() + [
                 'session_storage' => new Reference('session.storage', ContainerInterface::IGNORE_ON_INVALID_REFERENCE),
                 'request_stack' => new Reference('request_stack'),
             ]);
+            unset($nativeStorageDefaultOptions['cookie_secure']);
         }
 
         $container->setParameter('session.storage.options', $options);
+        $container->setParameter('session.storage.native.default_options', $nativeStorageDefaultOptions);
 
         // session handler (the internal callback registered with PHP session management)
         if (null === $config['handler_id']) {
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml b/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
@@ -25,7 +25,7 @@
         </service>
 
         <service id="session.storage.native" class="Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage">
-            <argument>%session.storage.options%</argument>
+            <argument>%session.storage.native.default_options%</argument>
             <argument type="service" id="session.handler" />
             <argument type="service" id="session.storage.metadata_bag" />
         </service>
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -1537,6 +1537,12 @@ public function testSessionCookieSecureAuto()
     {
         $container = $this->createContainerFromFile('session_cookie_secure_auto');
 
+        $options = $container->getParameter('session.storage.options');
+        $this->assertEquals('auto', $options['cookie_secure']);
+
+        $options = $container->getParameter('session.storage.native.default_options');
+        $this->assertNotContains('cookie_secure', $options, 'Should not pass "cookie_secure" to NativeSessionStorage constructor if its value is "auto"');
+
         $expected = ['session', 'initialized_session', 'session_storage', 'request_stack'];
         $this->assertEquals($expected, array_keys($container->getDefinition('session_listener')->getArgument(0)->getValues()));
     }
diff --git a/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
@@ -14,6 +14,7 @@
 use Psr\Container\ContainerInterface;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 
 /**
  * Sets the session in the request.
@@ -33,18 +34,26 @@ public function __construct(ContainerInterface $container)
         $this->container = $container;
     }
 
-    protected function getSession(): ?SessionInterface
+    public function onKernelRequest(GetResponseEvent $event)
     {
-        if (!$this->container->has('session')) {
-            return null;
+        parent::onKernelRequest($event);
+
+        if (!$event->isMasterRequest() || !$this->container->has('session')) {
+            return;
         }
 
         if ($this->container->has('session_storage')
             && ($storage = $this->container->get('session_storage')) instanceof NativeSessionStorage
             && ($masterRequest = $this->container->get('request_stack')->getMasterRequest())
-            && $masterRequest->isSecure()
         ) {
-            $storage->setOptions(['cookie_secure' => true]);
+            $storage->setOptions(['cookie_secure' => $masterRequest->isSecure()]);
+        }
+    }
+
+    protected function getSession(): ?SessionInterface
+    {
+        if (!$this->container->has('session')) {
+            return null;
         }
 
         return $this->container->get('session');

Original file line number	Diff line number	Diff line change
`@@ -935,15 +935,19 @@ private function registerSessionConfiguration(array $config, ContainerBuilder $c`
`935`	`935`	`}`
`936`	`936`	`}`
`937`	`937`
	`938`	`+ $nativeStorageDefaultOptions = $options;`
	`939`	`+`
`938`	`940`	`if ('auto' === ($options['cookie_secure'] ?? null)) {`
`939`	`941`	`$locator = $container->getDefinition('session_listener')->getArgument(0);`
`940`	`942`	`$locator->setValues($locator->getValues() + [`
`941`	`943`	`'session_storage' => new Reference('session.storage', ContainerInterface::IGNORE_ON_INVALID_REFERENCE),`
`942`	`944`	`'request_stack' => new Reference('request_stack'),`
`943`	`945`	`]);`
	`946`	`+ unset($nativeStorageDefaultOptions['cookie_secure']);`
`944`	`947`	`}`
`945`	`948`
`946`	`949`	`$container->setParameter('session.storage.options', $options);`
	`950`	`+ $container->setParameter('session.storage.native.default_options', $nativeStorageDefaultOptions);`
`947`	`951`
`948`	`952`	`// session handler (the internal callback registered with PHP session management)`
`949`	`953`	`if (null === $config['handler_id']) {`
Original file line number	Diff line number	Diff line change
`@@ -1537,6 +1537,12 @@ public function testSessionCookieSecureAuto()`
`1537`	`1537`	`{`
`1538`	`1538`	`$container = $this->createContainerFromFile('session_cookie_secure_auto');`
`1539`	`1539`
	`1540`	`+ $options = $container->getParameter('session.storage.options');`
	`1541`	`+ $this->assertEquals('auto', $options['cookie_secure']);`
	`1542`	`+`
	`1543`	`+ $options = $container->getParameter('session.storage.native.default_options');`
	`1544`	`+ $this->assertNotContains('cookie_secure', $options, 'Should not pass "cookie_secure" to NativeSessionStorage constructor if its value is "auto"');`
	`1545`	`+`
`1540`	`1546`	`$expected = ['session', 'initialized_session', 'session_storage', 'request_stack'];`
`1541`	`1547`	`$this->assertEquals($expected, array_keys($container->getDefinition('session_listener')->getArgument(0)->getValues()));`
`1542`	`1548`	`}`