feature #41390 [HttpKernel] Add session cookie handling in cli context (alexander-schranz, Nyholm)

fabpot · fabpot · commit ad641247fec5 · 2021-09-06T10:28:08.000+02:00
This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [HttpKernel] Add session cookie handling in cli context | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | no  | Deprecations? | no  | Tickets | Fix #42890 | License | MIT | Doc PR | symfony/symfony-docs#...  Currently the session cookie is never set on the `request` object. In a normal webserver setup this is not needed as a session is in php-fpm or apache fastcgi written by php itself when the response is outputted in: https://github.com/symfony/symfony/blob/744b901750c1cc09e85bcb2ebdf0505449a1158f/src/Symfony/Component/HttpFoundation/Response.php#L393 When use a runner like `Roadrunner` the `session` cookie is never set on the `Request` object, as this kind of appserver never really outputs something and is running in the `cli` context. Actually there is no way from outside to know if `$session->save()` was called or not because when the code in `Roadrunner` executes the session is actually written and so closed here: https://github.com/symfony/symfony/blob/744b901750c1cc09e85bcb2ebdf0505449a1158f/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php#L279. The best way so to fix this issue is that in CLI context symfony writes the session cookie on the `Response` object when the session is really saved. This fixes issues which we have in the current roadrunner implementation of php runtime: - [x] https://github.com/php-runtime/roadrunner-symfony-nyholm/blob/58665237ef2bff08a1ebf269e64abbf8cd09fbd7/src/Runner.php#L89 - [x] https://github.com/php-runtime/roadrunner-symfony-nyholm/blob/58665237ef2bff08a1ebf269e64abbf8cd09fbd7/src/Runner.php#L81 Beside Roadrunner there is also Swoole implementation which would require the same here: php-runtime/runtime#60 With this changes the Runners can be simplified a lot: https://github.com/php-runtime/runtime/pull/62/files# ## TODO Reset session variables after successfully response. The following code currently lives also in the runtime implementation but is requires also by all runners and so we should find a place where we put it: ``` if (PHP_SESSION_ACTIVE === session_status()) { session_abort(); } // reset all session variables to initialize state $_SESSION = []; session_id(''); // in this case session_start() will generate us a new session_id() ``` EDIT: Added this now to the `AbstractSessionListener` service via `ResetInterface`. Commits ------- b3e4f66 [HttpKernel] Add session cookie handling in cli context
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -327,7 +327,7 @@ public function load(array $configs, ContainerBuilder $container)
             $this->sessionConfigEnabled = true;
             $this->registerSessionConfiguration($config['session'], $container, $loader);
             if (!empty($config['test'])) {
-                $container->getDefinition('test.session.listener')->setArgument(1, '%session.storage.options%');
+                $container->getDefinition('test.session.listener')->setArgument(2, '%session.storage.options%');
             }
         }
 
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.php
@@ -153,8 +153,10 @@
                     'session_collector' => service('data_collector.request.session_collector')->ignoreOnInvalid(),
                 ]),
                 param('kernel.debug'),
+                param('session.storage.options'),
             ])
             ->tag('kernel.event_subscriber')
+            ->tag('kernel.reset', ['method' => 'reset'])
 
         // for BC
         ->alias('session.storage.filesystem', 'session.storage.mock_file')
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/test.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/test.php
@@ -16,7 +16,7 @@
 use Symfony\Component\BrowserKit\CookieJar;
 use Symfony\Component\BrowserKit\History;
 use Symfony\Component\DependencyInjection\ServiceLocator;
-use Symfony\Component\HttpKernel\EventListener\TestSessionListener;
+use Symfony\Component\HttpKernel\EventListener\SessionListener;
 
 return static function (ContainerConfigurator $container) {
     $container->parameters()->set('test.client.parameters', []);
@@ -35,11 +35,13 @@
         ->set('test.client.history', History::class)->share(false)
         ->set('test.client.cookiejar', CookieJar::class)->share(false)
 
-        ->set('test.session.listener', TestSessionListener::class)
+        ->set('test.session.listener', SessionListener::class)
             ->args([
                 service_locator([
                     'session' => service('.session.do-not-use')->ignoreOnInvalid(),
                 ]),
+                param('kernel.debug'),
+                param('session.storage.options'),
             ])
             ->tag('kernel.event_subscriber')
 
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -186,7 +186,7 @@ class Request
     protected $format;
 
     /**
-     * @var SessionInterface|callable
+     * @var SessionInterface|callable(): SessionInterface
      */
     protected $session;
 
@@ -775,6 +775,8 @@ public function setSession(SessionInterface $session)
 
     /**
      * @internal
+     *
+     * @param callable(): SessionInterface $factory
      */
     public function setSessionFactory(callable $factory)
     {
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
@@ -13,13 +13,16 @@
 
 use Psr\Container\ContainerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\HttpFoundation\Session\SessionUtils;
 use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\Exception\UnexpectedSessionUsageException;
 use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Contracts\Service\ResetInterface;
 
 /**
  * Sets the session onto the request on the "kernel.request" event and saves
@@ -36,18 +39,24 @@
  *
  * @internal
  */
-abstract class AbstractSessionListener implements EventSubscriberInterface
+abstract class AbstractSessionListener implements EventSubscriberInterface, ResetInterface
 {
     public const NO_AUTO_CACHE_CONTROL_HEADER = 'Symfony-Session-NoAutoCacheControl';
 
     protected $container;
     private $sessionUsageStack = [];
     private $debug;
 
-    public function __construct(ContainerInterface $container = null, bool $debug = false)
+    /**
+     * @var array<string, mixed>
+     */
+    private $sessionOptions;
+
+    public function __construct(ContainerInterface $container = null, bool $debug = false, array $sessionOptions = [])
     {
         $this->container = $container;
         $this->debug = $debug;
+        $this->sessionOptions = $sessionOptions;
     }
 
     public function onKernelRequest(RequestEvent $event)
@@ -60,7 +69,22 @@ public function onKernelRequest(RequestEvent $event)
         if (!$request->hasSession()) {
             // This variable prevents calling `$this->getSession()` twice in case the Request (and the below factory) is cloned
             $sess = null;
-            $request->setSessionFactory(function () use (&$sess) { return $sess ?? $sess = $this->getSession(); });
+            $request->setSessionFactory(function () use (&$sess, $request) {
+                if (!$sess) {
+                    $sess = $this->getSession();
+                }
+
+                /*
+                 * For supporting sessions in php runtime with runners like roadrunner or swoole the session
+                 * cookie need read from the cookie bag and set on the session storage.
+                 */
+                if ($sess && !$sess->isStarted()) {
+                    $sessionId = $request->cookies->get($sess->getName(), '');
+                    $sess->setId($sessionId);
+                }
+
+                return $sess;
+            });
         }
 
         $session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : null;
@@ -109,6 +133,54 @@ public function onKernelResponse(ResponseEvent $event)
              * it is saved will just restart it.
              */
             $session->save();
+
+            /*
+             * For supporting sessions in php runtime with runners like roadrunner or swoole the session
+             * cookie need to be written on the response object and should not be written by PHP itself.
+             */
+            $sessionName = $session->getName();
+            $sessionId = $session->getId();
+            $sessionCookiePath = $this->sessionOptions['cookie_path'] ?? '/';
+            $sessionCookieDomain = $this->sessionOptions['cookie_domain'] ?? null;
+            $sessionCookieSecure = $this->sessionOptions['cookie_secure'] ?? false;
+            $sessionCookieHttpOnly = $this->sessionOptions['cookie_httponly'] ?? true;
+            $sessionCookieSameSite = $this->sessionOptions['cookie_samesite'] ?? Cookie::SAMESITE_LAX;
+
+            SessionUtils::popSessionCookie($sessionName, $sessionCookiePath);
+
+            $request = $event->getRequest();
+            $requestSessionCookieId = $request->cookies->get($sessionName);
+
+            if ($requestSessionCookieId && $session->isEmpty()) {
+                $response->headers->clearCookie(
+                    $sessionName,
+                    $sessionCookiePath,
+                    $sessionCookieDomain,
+                    $sessionCookieSecure,
+                    $sessionCookieHttpOnly,
+                    $sessionCookieSameSite
+                );
+            } elseif ($sessionId !== $requestSessionCookieId) {
+                $expire = 0;
+                $lifetime = $this->sessionOptions['cookie_lifetime'] ?? null;
+                if ($lifetime) {
+                    $expire = time() + $lifetime;
+                }
+
+                $response->headers->setCookie(
+                    Cookie::create(
+                        $sessionName,
+                        $sessionId,
+                        $expire,
+                        $sessionCookiePath,
+                        $sessionCookieDomain,
+                        $sessionCookieSecure,
+                        $sessionCookieHttpOnly,
+                        false,
+                        $sessionCookieSameSite
+                    )
+                );
+            }
         }
 
         if ($session instanceof Session ? $session->getUsageIndex() === end($this->sessionUsageStack) : !$session->isStarted()) {
@@ -188,6 +260,20 @@ public static function getSubscribedEvents(): array
         ];
     }
 
+    public function reset(): void
+    {
+        if (\PHP_SESSION_ACTIVE === session_status()) {
+            session_abort();
+        }
+
+        session_unset();
+        $_SESSION = [];
+
+        if (!headers_sent()) { // session id can only be reset when no headers were so we check for headers_sent first
+            session_id('');
+        }
+    }
+
     /**
      * Gets the session object.
      *
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php
@@ -28,6 +28,8 @@
  * @author Fabien Potencier <fabien@symfony.com>
  *
  * @internal
+ *
+ * @deprecated the TestSessionListener use the default SessionListener instead
  */
 abstract class AbstractTestSessionListener implements EventSubscriberInterface
 {
@@ -37,6 +39,8 @@ abstract class AbstractTestSessionListener implements EventSubscriberInterface
     public function __construct(array $sessionOptions = [])
     {
         $this->sessionOptions = $sessionOptions;
+
+        trigger_deprecation('symfony/http-kernel', '5.4', 'The %s is deprecated use the %s instead.', __CLASS__, AbstractSessionListener::class);
     }
 
     public function onKernelRequest(RequestEvent $event)
diff --git a/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
@@ -11,7 +11,6 @@
 
 namespace Symfony\Component\HttpKernel\EventListener;
 
-use Psr\Container\ContainerInterface;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
@@ -29,11 +28,6 @@
  */
 class SessionListener extends AbstractSessionListener
 {
-    public function __construct(ContainerInterface $container, bool $debug = false)
-    {
-        parent::__construct($container, $debug);
-    }
-
     public function onKernelRequest(RequestEvent $event)
     {
         parent::onKernelRequest($event);
diff --git a/src/Symfony/Component/HttpKernel/EventListener/TestSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/TestSessionListener.php
@@ -20,6 +20,8 @@
  * @author Fabien Potencier <fabien@symfony.com>
  *
  * @final
+ *
+ * @deprecated the TestSessionListener use the default SessionListener instead
  */
 class TestSessionListener extends AbstractTestSessionListener
 {
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
@@ -47,6 +47,7 @@ public function testOnlyTriggeredOnMainRequest()
     public function testSessionIsSet()
     {
         $session = $this->createMock(Session::class);
+        $session->expects($this->exactly(1))->method('getName')->willReturn('PHPSESSID');
 
         $requestStack = $this->createMock(RequestStack::class);
         $requestStack->expects($this->once())->method('getMainRequest')->willReturn(null);
@@ -73,6 +74,7 @@ public function testSessionIsSet()
     public function testSessionUsesFactory()
     {
         $session = $this->createMock(Session::class);
+        $session->expects($this->exactly(1))->method('getName')->willReturn('PHPSESSID');
         $sessionFactory = $this->createMock(SessionFactory::class);
         $sessionFactory->expects($this->once())->method('createSession')->willReturn($session);
 
@@ -142,6 +144,32 @@ public function testResponseIsStillPublicIfSessionStartedAndHeaderPresent()
         $this->assertFalse($response->headers->has(AbstractSessionListener::NO_AUTO_CACHE_CONTROL_HEADER));
     }
 
+    public function testSessionSaveAndResponseHasSessionCookie()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->expects($this->exactly(2))->method('getUsageIndex')->will($this->onConsecutiveCalls(0, 1));
+        $session->expects($this->exactly(1))->method('getId')->willReturn('123456');
+        $session->expects($this->exactly(1))->method('getName')->willReturn('PHPSESSID');
+        $session->expects($this->exactly(1))->method('save');
+        $session->expects($this->exactly(1))->method('isStarted')->willReturn(true);
+
+        $container = new Container();
+        $container->set('initialized_session', $session);
+
+        $listener = new SessionListener($container);
+        $kernel = $this->getMockBuilder(HttpKernelInterface::class)->disableOriginalConstructor()->getMock();
+
+        $request = new Request();
+        $listener->onKernelRequest(new RequestEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST));
+
+        $response = new Response();
+        $listener->onKernelResponse(new ResponseEvent($kernel, new Request(), HttpKernelInterface::MASTER_REQUEST, $response));
+
+        $cookies = $response->headers->getCookies();
+        $this->assertSame('PHPSESSID', $cookies[0]->getName());
+        $this->assertSame('123456', $cookies[0]->getValue());
+    }
+
     public function testUninitializedSession()
     {
         $kernel = $this->createMock(HttpKernelInterface::class);
@@ -166,6 +194,7 @@ public function testUninitializedSession()
     public function testSurrogateMainRequestIsPublic()
     {
         $session = $this->createMock(Session::class);
+        $session->expects($this->exactly(2))->method('getName')->willReturn('PHPSESSID');
         $session->expects($this->exactly(4))->method('getUsageIndex')->will($this->onConsecutiveCalls(0, 1, 1, 1));
 
         $container = new Container();
@@ -205,6 +234,7 @@ public function testSurrogateMainRequestIsPublic()
     public function testGetSessionIsCalledOnce()
     {
         $session = $this->createMock(Session::class);
+        $session->expects($this->exactly(2))->method('getName')->willReturn('PHPSESSID');
         $sessionStorage = $this->createMock(NativeSessionStorage::class);
         $kernel = $this->createMock(KernelInterface::class);
 
@@ -282,6 +312,7 @@ public function testSessionUsageLogIfStatelessAndSessionUsed()
     public function testSessionIsSavedWhenUnexpectedSessionExceptionThrown()
     {
         $session = $this->createMock(Session::class);
+        $session->expects($this->exactly(1))->method('getName')->willReturn('PHPSESSID');
         $session->method('isStarted')->willReturn(true);
         $session->expects($this->exactly(2))->method('getUsageIndex')->will($this->onConsecutiveCalls(0, 1));
         $session->expects($this->exactly(1))->method('save');
@@ -368,4 +399,46 @@ public function testSessionUsageCallbackWhenNoStateless()
 
         (new SessionListener($container, true))->onSessionUsage();
     }
+
+    /**
+     * @runInSeparateProcess
+     */
+    public function testReset()
+    {
+        session_start();
+        $_SESSION['test'] = ['test'];
+        session_write_close();
+
+        $this->assertNotEmpty($_SESSION);
+        $this->assertNotEmpty(session_id());
+
+        $container = new Container();
+
+        (new SessionListener($container, true))->reset();
+
+        $this->assertEmpty($_SESSION);
+        $this->assertEmpty(session_id());
+        $this->assertSame(\PHP_SESSION_NONE, session_status());
+    }
+
+    /**
+     * @runInSeparateProcess
+     */
+    public function testResetUnclosedSession()
+    {
+        session_start();
+        $_SESSION['test'] = ['test'];
+
+        $this->assertNotEmpty($_SESSION);
+        $this->assertNotEmpty(session_id());
+        $this->assertSame(\PHP_SESSION_ACTIVE, session_status());
+
+        $container = new Container();
+
+        (new SessionListener($container, true))->reset();
+
+        $this->assertEmpty($_SESSION);
+        $this->assertEmpty(session_id());
+        $this->assertSame(\PHP_SESSION_NONE, session_status());
+    }
 }
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/TestSessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/TestSessionListenerTest.php
@@ -28,6 +28,7 @@
  * Tests SessionListener.
  *
  * @author Bulat Shakirzyanov <mallluhuct@gmail.com>
+ * @group legacy
  */
 class TestSessionListenerTest extends TestCase
 {

Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,7 @@ public function load(array $configs, ContainerBuilder $container)`
`327`	`327`	`$this->sessionConfigEnabled = true;`
`328`	`328`	`$this->registerSessionConfiguration($config['session'], $container, $loader);`
`329`	`329`	`if (!empty($config['test'])) {`
`330`		`- $container->getDefinition('test.session.listener')->setArgument(1, '%session.storage.options%');`
	`330`	`+ $container->getDefinition('test.session.listener')->setArgument(2, '%session.storage.options%');`
`331`	`331`	`}`
`332`	`332`	`}`
`333`	`333`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@`
`28`	`28`	`* @author Fabien Potencier <fabien@symfony.com>`
`29`	`29`	`*`
`30`	`30`	`* @internal`
	`31`	`+ *`
	`32`	`+ * @deprecated the TestSessionListener use the default SessionListener instead`
`31`	`33`	`*/`
`32`	`34`	`abstract class AbstractTestSessionListener implements EventSubscriberInterface`
`33`	`35`	`{`
`@@ -37,6 +39,8 @@ abstract class AbstractTestSessionListener implements EventSubscriberInterface`
`37`	`39`	`public function __construct(array $sessionOptions = [])`
`38`	`40`	`{`
`39`	`41`	`$this->sessionOptions = $sessionOptions;`
	`42`	`+`
	`43`	`+ trigger_deprecation('symfony/http-kernel', '5.4', 'The %s is deprecated use the %s instead.', __CLASS__, AbstractSessionListener::class);`
`40`	`44`	`}`
`41`	`45`
`42`	`46`	`public function onKernelRequest(RequestEvent $event)`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@`
`20`	`20`	`* @author Fabien Potencier <fabien@symfony.com>`
`21`	`21`	`*`
`22`	`22`	`* @final`
	`23`	`+ *`
	`24`	`+ * @deprecated the TestSessionListener use the default SessionListener instead`
`23`	`25`	`*/`
`24`	`26`	`class TestSessionListener extends AbstractTestSessionListener`
`25`	`27`	`{`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@`
`28`	`28`	`* Tests SessionListener.`
`29`	`29`	`*`
`30`	`30`	`* @author Bulat Shakirzyanov <mallluhuct@gmail.com>`
	`31`	`+ * @group legacy`
`31`	`32`	`*/`
`32`	`33`	`class TestSessionListenerTest extends TestCase`
`33`	`34`	`{`