Skip to content

[HttpKernel] Send new session cookie from AbstractTestSessionListener after session invalidation #26157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 19, 2018
Merged

[HttpKernel] Send new session cookie from AbstractTestSessionListener after session invalidation #26157

merged 1 commit into from
Feb 19, 2018

Conversation

rpkamp
Copy link
Contributor

@rpkamp rpkamp commented Feb 12, 2018

When we call \Symfony\Component\HttpFoundation\Session\Session::invalidate the session will be emptied and given a new ID, however, since it is empty this AbstractTestSessionListener will not send a new cookie to the user, so the user is not caught up to the latest session ID and will re-generate a session with the old session ID on a new visit.
Thus, we the sessionID has changed during a request we must always send a new cookie with the new sessionID, even though the session is empty.

This behaviour is also what is shown in production (non-test) mode.

Q A
Branch? master
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets N/A
License MIT

@nicolas-grekas nicolas-grekas added this to the 3.4 milestone Feb 14, 2018
@nicolas-grekas nicolas-grekas changed the base branch from master to 3.4 February 14, 2018 12:30
@nicolas-grekas nicolas-grekas changed the title Send new session cookie from AbstractTestSessionListener after session invalidation [HttpKernel] Send new session cookie from AbstractTestSessionListener after session invalidation Feb 14, 2018
@nicolas-grekas nicolas-grekas changed the base branch from 3.4 to master February 14, 2018 12:31
@nicolas-grekas
Copy link
Member

@rpkamp would you mind adding a test case please?

nicolas-grekas
nicolas-grekas reviewed Feb 14, 2018
View reviewed changes
src/Symfony/Component/HttpKernel/EventListener/AbstractTestSessionListener.php Outdated
@@ -45,6 +47,7 @@ public function onKernelRequest(GetResponseEvent $event)

if ($cookies->has($session->getName())) {
$session->setId($cookies->get($session->getName()));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest to move this line below the current next one, and write it as:
$session->setId($this->initialSessionId)

@nicolas-grekas nicolas-grekas changed the base branch from master to 3.4 February 14, 2018 13:50
@rpkamp
Copy link
Contributor Author

rpkamp commented Feb 16, 2018

@nicolas-grekas I've added the test, as requested 😃

@nicolas-grekas
Copy link
Member

Thank you @rpkamp.

@nicolas-grekas nicolas-grekas merged commit 98f5d53 into symfony:3.4 Feb 19, 2018
nicolas-grekas added a commit that referenced this pull request Feb 19, 2018
@nicolas-grekas
bug #26157 [HttpKernel] Send new session cookie from AbstractTestSess…
b3c7ba7 
…ionListener after session invalidation (rpkamp)

This PR was merged into the 3.4 branch.

Discussion
----------

[HttpKernel] Send new session cookie from AbstractTestSessionListener after session invalidation

When we call `\Symfony\Component\HttpFoundation\Session\Session::invalidate` the session will be emptied and given a new ID, however, since it is empty this `AbstractTestSessionListener` will not send a new cookie to the user, so the user is not caught up to the latest session ID and will re-generate a session with the old session ID on a new visit.
Thus, we the sessionID has changed during a request we must always send a new cookie with the new sessionID, even though the session is empty.

This behaviour is also what is shown in production (non-test) mode.

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | N/A
| License       | MIT

Commits
-------

98f5d53 [HttpKernel] Send new session cookie from AbstractTestSessionListener after session invalidation
@rpkamp rpkamp deleted the patch-1 branch February 19, 2018 17:02
This was referenced Mar 1, 2018
Merged
Merged
@thewilkybarkid thewilkybarkid mentioned this pull request Jun 20, 2018
Merged
nicolas-grekas added a commit that referenced this pull request Jul 1, 2018
@nicolas-grekas
bug #27659 [HttpKernel] Make AbstractTestSessionListener compatible w…
52b91bb 
…ith CookieClearingLogoutHandler (thewilkybarkid)

This PR was squashed before being merged into the 3.4 branch (closes #27659).

Discussion
----------

[HttpKernel] Make AbstractTestSessionListener compatible with CookieClearingLogoutHandler

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        |

#26157 started to send a new cookie in `AbstractTestSessionListener`, but is incompatible with `CookieClearingLogoutHandler` as it overrides its `Set-Cookie` by setting a new cookie (breaking my test that checked to see that the cookie was removed after a log out).

Commits
-------

f54d969 [HttpKernel] Make AbstractTestSessionListener compatible with CookieClearingLogoutHandler
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

Assignees
No one assigned
Labels
Bug Status: Reviewed
Projects
None yet
Milestone
3.4
Development

Successfully merging this pull request may close these issues.
3 participants
@rpkamp @nicolas-grekas @carsonbot