Symfony version(s) affected

6.4.9

Description

When an application has a firewall that includes both routes with stateless: true and routes that use the session, the routes with stateless: true will remove the session data and session cookie. This means that the user has to reauthenticate if they visit a route that uses the session after visiting a route with stateless: true.

I think the stateless routes should simply ignore the session data and should not actively remove an existing session.

How to reproduce

1. Create two routes, one with stateless: true and one without.
2. Visit the route that uses the session and stores the user in the session.
3. Visit the route with stateless: true. This route will remove the user in the session and delete the session cookie.

Possible Solution

The problem is that the ContextListener removes the session data in the kernel.response event:

The first if statement will always be true, as the token is always null and therefore the user is not authenticated. $request->hasPreviousSession() will also be true if the user has a session cookie from the previous request.

ContextListener::onKernelResponse should probably also check if the request is stateless and return early when this is the case. This event listener either stores the token in the session or removes the session data, neither of which should be actions for stateless requests.

Additional Context

This bug was introduced in #57372