Send new session cookie from AbstractTestSessionListener after session invalidation

rpkamp · web-flow · commit 95545895e354 · 2018-02-12T23:59:35.000+01:00
When we call `\Symfony\Component\HttpFoundation\Session\Session::invalidate` the session will be emptied and given a new ID, however, since it is empty this `AbstractTestSessionListener` will not send a new cookie to the user, so the user is not caught up to the latest session ID and will re-generate a session with the old session ID on a new visit.
Thus, we the sessionID has changed during a request we must always send a new cookie with the new sessionID, even though the session is empty.

This behaviour is also what is shown in production (non-test) mode.
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php
@@ -29,6 +29,8 @@
  */
 abstract class AbstractTestSessionListener implements EventSubscriberInterface
 {
+    private $initialSessionId;
+    
     public function onKernelRequest(GetResponseEvent $event)
     {
         if (!$event->isMasterRequest()) {
@@ -45,6 +47,7 @@ public function onKernelRequest(GetResponseEvent $event)
 
         if ($cookies->has($session->getName())) {
             $session->setId($cookies->get($session->getName()));
+            $this->initialSessionId = $cookies->get($session->getName());
         }
     }
 
@@ -66,7 +69,7 @@ public function onKernelResponse(FilterResponseEvent $event)
             $session->save();
         }
 
-        if ($session instanceof Session ? !$session->isEmpty() : $wasStarted) {
+        if ($session instanceof Session ? !$session->isEmpty() || $session->getId() !== $this->initialSessionId : $wasStarted) {
             $params = session_get_cookie_params();
             $event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));
         }

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@`
`29`	`29`	`*/`
`30`	`30`	`abstract class AbstractTestSessionListener implements EventSubscriberInterface`
`31`	`31`	`{`
	`32`	`+ private $initialSessionId;`
	`33`	`+`
`32`	`34`	`public function onKernelRequest(GetResponseEvent $event)`
`33`	`35`	`{`
`34`	`36`	`if (!$event->isMasterRequest()) {`
`@@ -45,6 +47,7 @@ public function onKernelRequest(GetResponseEvent $event)`
`45`	`47`
`46`	`48`	`if ($cookies->has($session->getName())) {`
`47`	`49`	`$session->setId($cookies->get($session->getName()));`
	`50`	`+ $this->initialSessionId = $cookies->get($session->getName());`
`48`	`51`	`}`
`49`	`52`	`}`
`50`	`53`
`@@ -66,7 +69,7 @@ public function onKernelResponse(FilterResponseEvent $event)`
`66`	`69`	`$session->save();`
`67`	`70`	`}`
`68`	`71`
`69`		`- if ($session instanceof Session ? !$session->isEmpty() : $wasStarted) {`
	`72`	`+ if ($session instanceof Session ? !$session->isEmpty() \|\| $session->getId() !== $this->initialSessionId : $wasStarted) {`
`70`	`73`	`$params = session_get_cookie_params();`
`71`	`74`	`$event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));`
`72`	`75`	`}`