Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[3.1] Regression in stateless firewall, session is initialized #18951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
romainneutron opened this issue Jun 2, 2016 · 11 comments
Closed

[3.1] Regression in stateless firewall, session is initialized #18951

romainneutron opened this issue Jun 2, 2016 · 11 comments
Labels
Bug FrameworkBundle Status: Needs Review

Comments

@romainneutron
Copy link
Contributor

I have a stateless API endpoint:

security:
    firewalls:
        api:
            pattern:  ^/api/
            stateless: true
            anonymous: true
            http_basic:
                realm: "API Hello"
                provider: api_provider

When I do calls on this API, everything work as expected, no cookies.
But when testing, this fails:

There was 1 failure:

1) AppBundle\Tests\Controller\Api\AuthenticationTest::testApiNoCookie
API should not set any cookie!
Failed asserting that actual size 1 matches expected size 0.

    public function testApiNoCookie()
    {
        $this->client->request('GET', '/api/');

        $this->assertResponseStatus(Response::HTTP_OK);
        $this->assertCount(0, $this->client->getResponse()->headers->getCookies(), 'API should not set any cookie!');
    }

The issue does not exist in 3.0
@romainneutron
Copy link
Contributor Author

I've tagged this FrameworkBundle, but I'm not sure...

@romainneutron
Copy link
Contributor Author

Oh, and by the way, here's the dump of $this->client->getResponse()->headers->getCookies() within the tests

array(1) {
  [0]=>
  object(Symfony\Component\HttpFoundation\Cookie)#9288 (8) {
    ["name":protected]=>
    string(10) "MOCKSESSID"
    ["value":protected]=>
    string(64) "d79419bd72e463ba776102f4398afbb8ac8c70d22dee509f89d51270f7029ef3"
    ["domain":protected]=>
    string(0) ""
    ["expire":protected]=>
    int(0)
    ["path":protected]=>
    string(1) "/"
    ["secure":protected]=>
    bool(false)
    ["httpOnly":protected]=>
    bool(false)
    ["raw":"Symfony\Component\HttpFoundation\Cookie":private]=>
    bool(false)
  }
}

@stof
Copy link
Member

stof commented Jun 2, 2016

is the session system enabled in FrameworkBundle or no ?

It would be useful to dump what the session contains too (using the profiler to access it in your test might work). This would help seeing what triggers this.

@romainneutron
Copy link
Contributor Author

I've been a bit too fast... session is added in tests and dev/prod environments (I said only tests previously), whereas I specify in my firewall that it is stateless.

I created a reproducer:

git clone https://github.com/romainneutron/symfony-issue-18951.git
cd symfony-issue-18951
composer install --no-interaction
bin/console server:start
sleep 2
curl -v http://127.0.0.1:8000/api/
bin/console server:stop

You should see

*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> GET /api/ HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Host: 127.0.0.1:8000
< Connection: close
< X-Powered-By: PHP/7.0.6
< Set-Cookie: PHPSESSID=petujt0no9dv15nl7i6v8qv7c7; path=/; HttpOnly
< Cache-Control: no-cache
< Content-Type: application/json
< X-Debug-Token: ab7984
< X-Debug-Token-Link: http://127.0.0.1:8000/_profiler/ab7984
< Date: Thu, 02 Jun 2016 15:10:20 GMT
<

See the Set-Cookie: line, it should not be here...

@romainneutron
Copy link
Contributor Author

The reproducer is in this single commit romainneutron/symfony-issue-18951@9a323b0

@romainneutron romainneutron changed the title [3.1]Regression in session mocking on stateless routes [3.1] Regression in stateless firewall, session is initialized Jun 2, 2016
@stof
Copy link
Member

stof commented Jun 2, 2016

@romainneutron this does not answer my question about what is using the session. It may not be the firewall at all.

@romainneutron
Copy link
Contributor Author

Session is enabled in the framework, yes.
My problem is that the same configuration in 3.0 (romainneutron/symfony-issue-18951@9a323b0) works as expected, not in 3.1

@stof
Copy link
Member

stof commented Jun 2, 2016

than, please answer the second half of my comment, i.e. checking what got stored in the session

@stof
Copy link
Member

stof commented Jun 2, 2016

another idea would be to look at what called $session->start() (may it be seen on a blackfire callgraph ? I never tried using it this way)

@romainneutron romainneutron mentioned this issue Jun 2, 2016
Merged
@inso
Copy link

inso commented Jun 2, 2016

Here is backtrace in dev mode:

#0  Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->start() called at [/home/.../symfony-issue-18951/var/cache/dev/classes.php:4678]
#1  Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage->getBag() called at [/home/.../symfony-issue-18951/var/cache/dev/classes.php:4441]
#2  Symfony\Component\HttpFoundation\Session\Session->has() called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/DataCollector/RequestDataCollector.php:298]
#3  Symfony\Component\HttpKernel\DataCollector\RequestDataCollector->onKernelResponse()
#4  call_user_func() called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php:61]
#5  Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
#6  call_user_func() called at [/home/.../symfony-issue-18951/var/cache/dev/classes.php:4178]
#7  Symfony\Component\EventDispatcher\EventDispatcher->doDispatch() called at [/home/.../symfony-issue-18951/var/cache/dev/classes.php:4093]
#8  Symfony\Component\EventDispatcher\EventDispatcher->dispatch() called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php:136]
#9  Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch() called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php:188]
#10 Symfony\Component\HttpKernel\HttpKernel->filterResponse() called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php:170]
#11 Symfony\Component\HttpKernel\HttpKernel->handleRaw() called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php:66]
#12 Symfony\Component\HttpKernel\HttpKernel->handle() called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php:169]
#13 Symfony\Component\HttpKernel\Kernel->handle() called at [/home/.../symfony-issue-18951/web/app_dev.php:30]
#14 require(/home/.../symfony-issue-18951/web/app_dev.php) called at [/home/.../symfony-issue-18951/vendor/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/Resources/config/router_dev.php:40]

@romainneutron
Copy link
Contributor Author

I've spotted the issue till RequestDataCollector (as mentioned as @inso). Here's my proposed patch: #18954

@fabpot fabpot closed this as completed Jun 3, 2016
fabpot added a commit that referenced this issue Jun 3, 2016
@fabpot
bug #18954 [3.1][HttpKernel] Fix RequestDataCollector starting the se…
22aa620 
…ssion (romainneutron)

This PR was merged into the 3.1 branch.

Discussion
----------

[3.1][HttpKernel] Fix RequestDataCollector starting the session

| Q             | A
| ------------- | ---
| Branch?       | 3.1
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #18951
| License       | MIT

The RequestDataCollector starts a non-started session on kernel response. This produces bug #18951
I'm not sure if this is the right fix, let's discuss it.

Commits
-------

ab62dcf [HttpKernel] Fix RequestDataCollector starting the session
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug FrameworkBundle Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fabpot @romainneutron @stof @inso @carsonbot