Symfony version(s) affected

5.4.0

Description

On Kernel reponse we currently get two Set-Cookie header == one generated by php because of a session_start() call and the other one created by the symfony SessionListener. The parent class AbstractSessionListener wants to remove possible other Set-Cookie header by using the SessionUtils::popSessionCookie function. This doesn't works right now because of a wrong function usage == 2nd parameter is not the sessionId as expected.

The function onKernelResponse() removes possible Set-Cookie headers from headers_list by using SessionUtils::popSessionCookie($sessionName, $sessionCookiePath);
https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L149

2nd expected parameter of SessionUtils::popSessionCookie function is the sessionId, not the $sessionCookiePath
https://github.com/symfony/symfony/blob/v5.4.0/src/Symfony/Component/HttpFoundation/Session/SessionUtils.php#L28

How to reproduce

see description

Possible Solution

replace wrong parameter by $sessionId on https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L149

Additional Context

No response