[HttpKernel] Fix session handling: decouple "save" from setting response "private"

nicolas-grekas · nicolas-grekas · commit daca5675dc96 · 2018-01-09T12:41:15.000+01:00
diff --git a/src/Symfony/Component/HttpFoundation/Session/Session.php b/src/Symfony/Component/HttpFoundation/Session/Session.php
@@ -29,6 +29,7 @@ class Session implements SessionInterface, \IteratorAggregate, \Countable
     private $flashName;
     private $attributeName;
     private $data = array();
+    private $hasBeenStarted;
 
     /**
      * @param SessionStorageInterface $storage    A SessionStorageInterface instance
@@ -140,6 +141,16 @@ public function count()
         return count($this->getAttributeBag()->all());
     }
 
+    /**
+     * @return bool
+     *
+     * @internal
+     */
+    public function hasBeenStarted()
+    {
+        return $this->hasBeenStarted;
+    }
+
     /**
      * @return bool
      *
@@ -227,7 +238,7 @@ public function getMetadataBag()
      */
     public function registerBag(SessionBagInterface $bag)
     {
-        $this->storage->registerBag(new SessionBagProxy($bag, $this->data));
+        $this->storage->registerBag(new SessionBagProxy($bag, $this->data, $this->hasBeenStarted));
     }
 
     /**
@@ -257,6 +268,6 @@ public function getFlashBag()
      */
     private function getAttributeBag()
     {
-        return $this->storage->getBag($this->attributeName)->getBag();
+        return $this->getBag($this->attributeName);
     }
 }
diff --git a/src/Symfony/Component/HttpFoundation/Session/SessionBagProxy.php b/src/Symfony/Component/HttpFoundation/Session/SessionBagProxy.php
@@ -20,11 +20,13 @@ final class SessionBagProxy implements SessionBagInterface
 {
     private $bag;
     private $data;
+    private $hasBeenStarted;
 
-    public function __construct(SessionBagInterface $bag, array &$data)
+    public function __construct(SessionBagInterface $bag, array &$data, &$hasBeenStarted)
     {
         $this->bag = $bag;
         $this->data = &$data;
+        $this->hasBeenStarted = &$hasBeenStarted;
     }
 
     /**
@@ -56,6 +58,7 @@ public function getName()
      */
     public function initialize(array &$array)
     {
+        $this->hasBeenStarted = true;
         $this->data[$this->bag->getStorageKey()] = &$array;
 
         $this->bag->initialize($array);
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php
@@ -58,13 +58,17 @@ public function onKernelResponse(FilterResponseEvent $event)
             return;
         }
 
-        $session = $event->getRequest()->getSession();
-        if ($session && $session->isStarted()) {
+        if (!$session = $event->getRequest()->getSession()) {
+            return;
+        }
+
+        if ($hasBeenStarted = $session->isStarted()) {
             $session->save();
-            if (!$session instanceof Session || !\method_exists($session, 'isEmpty') || !$session->isEmpty()) {
-                $params = session_get_cookie_params();
-                $event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));
-            }
+        }
+
+        if ($session instanceof Session && \method_exists($session, 'isEmpty') ? !$session->isEmpty() : $hasBeenStarted) {
+            $params = session_get_cookie_params();
+            $event->getResponse()->headers->setCookie(new Cookie($session->getName(), $session->getId(), 0 === $params['lifetime'] ? 0 : time() + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']));
         }
     }
 
diff --git a/src/Symfony/Component/HttpKernel/EventListener/SaveSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/SaveSessionListener.php
@@ -53,10 +53,6 @@ public function onKernelResponse(FilterResponseEvent $event)
         $session = $event->getRequest()->getSession();
         if ($session && $session->isStarted()) {
             $session->save();
-            $event->getResponse()
-                ->setPrivate()
-                ->setMaxAge(0)
-                ->headers->addCacheControlDirective('must-revalidate');
         }
     }
 
diff --git a/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
@@ -12,6 +12,9 @@
 namespace Symfony\Component\HttpKernel\EventListener;
 
 use Psr\Container\ContainerInterface;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
 
 /**
  * Sets the session in the request.
@@ -29,6 +32,24 @@ public function __construct(ContainerInterface $container)
         $this->container = $container;
     }
 
+    public function onKernelResponse(FilterResponseEvent $event)
+    {
+        if (!$event->isMasterRequest()) {
+            return;
+        }
+
+        if (!$session = $event->getRequest()->getSession()) {
+            return;
+        }
+
+        if ($session->isStarted() || ($session instanceof Session && ((\method_exists($session, 'hasBeenStarted') && $session->hasBeenStarted()) || (\method_exists($session, 'isEmpty') && !$session->isEmpty())))) {
+            $event->getResponse()
+                ->setPrivate()
+                ->setMaxAge(0)
+                ->headers->addCacheControlDirective('must-revalidate');
+        }
+    }
+
     protected function getSession()
     {
         if (!$this->container->has('session')) {
@@ -37,4 +58,12 @@ protected function getSession()
 
         return $this->container->get('session');
     }
+
+    public static function getSubscribedEvents()
+    {
+        return parent::getSubscribedEvents() + array(
+            // low priority to come after regular response listeners
+            KernelEvents::RESPONSE => array(array('onKernelResponse', -1000)),
+        );
+    }
 }
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/SaveSessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/SaveSessionListenerTest.php
@@ -32,7 +32,7 @@ public function testOnlyTriggeredOnMasterRequest()
         $listener->onKernelResponse($event);
     }
 
-    public function testSessionSavedAndResponsePrivate()
+    public function testSessionSaved()
     {
         $listener = new SaveSessionListener();
         $kernel = $this->getMockBuilder(HttpKernelInterface::class)->disableOriginalConstructor()->getMock();
@@ -45,9 +45,5 @@ public function testSessionSavedAndResponsePrivate()
         $request->setSession($session);
         $response = new Response();
         $listener->onKernelResponse(new FilterResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, $response));
-
-        $this->assertTrue($response->headers->hasCacheControlDirective('private'));
-        $this->assertTrue($response->headers->hasCacheControlDirective('must-revalidate'));
-        $this->assertSame('0', $response->headers->getCacheControlDirective('max-age'));
     }
 }
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
@@ -0,0 +1,85 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpKernel\Tests\EventListener;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\DependencyInjection\Container;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
+use Symfony\Component\HttpKernel\EventListener\AbstractSessionListener;
+use Symfony\Component\HttpKernel\EventListener\SessionListener;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+
+class SessionListenerTest extends TestCase
+{
+    public function testOnlyTriggeredOnMasterRequest()
+    {
+        $listener = $this->getMockForAbstractClass(AbstractSessionListener::class);
+        $event = $this->getMockBuilder(GetResponseEvent::class)->disableOriginalConstructor()->getMock();
+        $event->expects($this->once())->method('isMasterRequest')->willReturn(false);
+        $event->expects($this->never())->method('getRequest');
+
+        // sub request
+        $listener->onKernelRequest($event);
+    }
+
+    public function testSessionIsSet()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+
+        $container = new Container();
+        $container->set('session', $session);
+
+        $request = new Request();
+        $listener = new SessionListener($container);
+
+        $event = $this->getMockBuilder(GetResponseEvent::class)->disableOriginalConstructor()->getMock();
+        $event->expects($this->once())->method('isMasterRequest')->willReturn(true);
+        $event->expects($this->once())->method('getRequest')->willReturn($request);
+
+        $listener->onKernelRequest($event);
+
+        $this->assertTrue($request->hasSession());
+        $this->assertSame($session, $request->getSession());
+    }
+
+    public function testResponseIsPrivate()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->expects($this->once())->method('isStarted')->willReturn(false);
+        if (method_exists($session, 'hasBeenStarted')) {
+            $session->expects($this->once())->method('hasBeenStarted')->willReturn(true);
+        } elseif (method_exists($session, 'isEmpty')) {
+            $session->expects($this->once())->method('isEmpty')->willReturn(false);
+        } else {
+            $session->expects($this->once())->method('isStarted')->willReturn(true);
+        }
+
+        $container = new Container();
+        $container->set('session', $session);
+
+        $listener = new SessionListener($container);
+        $kernel = $this->getMockBuilder(HttpKernelInterface::class)->disableOriginalConstructor()->getMock();
+
+        $request = new Request();
+        $response = new Response();
+        $listener->onKernelRequest(new GetResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST));
+        $listener->onKernelResponse(new FilterResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, $response));
+
+        $this->assertTrue($response->headers->hasCacheControlDirective('private'));
+        $this->assertTrue($response->headers->hasCacheControlDirective('must-revalidate'));
+        $this->assertSame('0', $response->headers->getCacheControlDirective('max-age'));
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ class Session implements SessionInterface, \IteratorAggregate, \Countable`
`29`	`29`	`private $flashName;`
`30`	`30`	`private $attributeName;`
`31`	`31`	`private $data = array();`
	`32`	`+ private $hasBeenStarted;`
`32`	`33`
`33`	`34`	`/**`
`34`	`35`	`* @param SessionStorageInterface $storage A SessionStorageInterface instance`
`@@ -140,6 +141,16 @@ public function count()`
`140`	`141`	`return count($this->getAttributeBag()->all());`
`141`	`142`	`}`
`142`	`143`
	`144`	`+ /**`
	`145`	`+ * @return bool`
	`146`	`+ *`
	`147`	`+ * @internal`
	`148`	`+ */`
	`149`	`+ public function hasBeenStarted()`
	`150`	`+ {`
	`151`	`+ return $this->hasBeenStarted;`
	`152`	`+ }`
	`153`	`+`
`143`	`154`	`/**`
`144`	`155`	`* @return bool`
`145`	`156`	`*`
`@@ -227,7 +238,7 @@ public function getMetadataBag()`
`227`	`238`	`*/`
`228`	`239`	`public function registerBag(SessionBagInterface $bag)`
`229`	`240`	`{`
`230`		`- $this->storage->registerBag(new SessionBagProxy($bag, $this->data));`
	`241`	`+ $this->storage->registerBag(new SessionBagProxy($bag, $this->data, $this->hasBeenStarted));`
`231`	`242`	`}`
`232`	`243`
`233`	`244`	`/**`
`@@ -257,6 +268,6 @@ public function getFlashBag()`
`257`	`268`	`*/`
`258`	`269`	`private function getAttributeBag()`
`259`	`270`	`{`
`260`		`- return $this->storage->getBag($this->attributeName)->getBag();`
	`271`	`+ return $this->getBag($this->attributeName);`
`261`	`272`	`}`
`262`	`273`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,11 +20,13 @@ final class SessionBagProxy implements SessionBagInterface`
`20`	`20`	`{`
`21`	`21`	`private $bag;`
`22`	`22`	`private $data;`
	`23`	`+ private $hasBeenStarted;`
`23`	`24`
`24`		`- public function __construct(SessionBagInterface $bag, array &$data)`
	`25`	`+ public function __construct(SessionBagInterface $bag, array &$data, &$hasBeenStarted)`
`25`	`26`	`{`
`26`	`27`	`$this->bag = $bag;`
`27`	`28`	`$this->data = &$data;`
	`29`	`+ $this->hasBeenStarted = &$hasBeenStarted;`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`/**`
`@@ -56,6 +58,7 @@ public function getName()`
`56`	`58`	`*/`
`57`	`59`	`public function initialize(array &$array)`
`58`	`60`	`{`
	`61`	`+ $this->hasBeenStarted = true;`
`59`	`62`	`$this->data[$this->bag->getStorageKey()] = &$array;`
`60`	`63`
`61`	`64`	`$this->bag->initialize($array);`
Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,6 @@ public function onKernelResponse(FilterResponseEvent $event)`
`53`	`53`	`$session = $event->getRequest()->getSession();`
`54`	`54`	`if ($session && $session->isStarted()) {`
`55`	`55`	`$session->save();`
`56`		`- $event->getResponse()`
`57`		`- ->setPrivate()`
`58`		`- ->setMaxAge(0)`
`59`		`- ->headers->addCacheControlDirective('must-revalidate');`
`60`	`56`	`}`
`61`	`57`	`}`
`62`	`58`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ public function testOnlyTriggeredOnMasterRequest()`
`32`	`32`	`$listener->onKernelResponse($event);`
`33`	`33`	`}`
`34`	`34`
`35`		`- public function testSessionSavedAndResponsePrivate()`
	`35`	`+ public function testSessionSaved()`
`36`	`36`	`{`
`37`	`37`	`$listener = new SaveSessionListener();`
`38`	`38`	`$kernel = $this->getMockBuilder(HttpKernelInterface::class)->disableOriginalConstructor()->getMock();`
`@@ -45,9 +45,5 @@ public function testSessionSavedAndResponsePrivate()`
`45`	`45`	`$request->setSession($session);`
`46`	`46`	`$response = new Response();`
`47`	`47`	`$listener->onKernelResponse(new FilterResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, $response));`
`48`		`-`
`49`		`- $this->assertTrue($response->headers->hasCacheControlDirective('private'));`
`50`		`- $this->assertTrue($response->headers->hasCacheControlDirective('must-revalidate'));`
`51`		`- $this->assertSame('0', $response->headers->getCacheControlDirective('max-age'));`
`52`	`48`	`}`
`53`	`49`	`}`