symfony
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
Lines changed: 6 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/HttpFoundation/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Session/Session.php
Lines changed: 10 additions & 2 deletions b/‎src/Symfony/Component/HttpFoundation/Session/Session.php
Lines changed: 10 additions & 2 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Session/SessionBagProxy.php
Lines changed: 13 additions & 1 deletion b/‎src/Symfony/Component/HttpFoundation/Session/SessionBagProxy.php
Lines changed: 13 additions & 1 deletion
diff --git a/‎src/Symfony/Component/HttpFoundation/Tests/Session/SessionTest.php
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/HttpFoundation/Tests/Session/SessionTest.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/HttpKernel/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/HttpKernel/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
Lines changed: 31 additions & 0 deletions b/‎src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
Lines changed: 31 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
Lines changed: 59 additions & 0 deletions b/‎src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
Lines changed: 59 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php
Lines changed: 3 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
Lines changed: 17 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
Lines changed: 17 additions & 0 deletions
@@ -13,6 +13,12 @@
 
         <service id="session" class="Symfony\Component\HttpFoundation\Session\Session" public="true">
             <argument type="service" id="session.storage" />
+            <argument>null</argument> <!-- AttributeBagInterface -->
+            <argument>null</argument> <!-- FlashBagInterface -->
+            <argument type="collection">
+                <argument type="service" id="session_listener" />
+                <argument>onSessionUsage</argument>
+            </argument>
         </service>
 
         <service id="Symfony\Component\HttpFoundation\Session\SessionInterface" alias="session" />
 
@@ -14,6 +14,7 @@ CHANGELOG
    according to [RFC 8674](https://tools.ietf.org/html/rfc8674)
  * made the Mime component an optional dependency
  * added `MarshallingSessionHandler`, `IdentityMarshaller`
+ * made `Session` accept a callback to report when the session is being used
 
 5.0.0
 -----
 
@@ -35,10 +35,12 @@ class Session implements SessionInterface, \IteratorAggregate, \Countable
     private $attributeName;
     private $data = [];
     private $usageIndex = 0;
+    private $usageReporter;
 
-    public function __construct(SessionStorageInterface $storage = null, AttributeBagInterface $attributes = null, FlashBagInterface $flashes = null)
+    public function __construct(SessionStorageInterface $storage = null, AttributeBagInterface $attributes = null, FlashBagInterface $flashes = null, callable $usageReporter = null)
     {
         $this->storage = $storage ?: new NativeSessionStorage();
+        $this->usageReporter = $usageReporter;
 
         $attributes = $attributes ?: new AttributeBag();
         $this->attributeName = $attributes->getName();
@@ -153,6 +155,9 @@ public function isEmpty(): bool
     {
         if ($this->isStarted()) {
             ++$this->usageIndex;
+            if ($this->usageReporter && 0 <= $this->usageIndex) {
+                ($this->usageReporter)();
+            }
         }
         foreach ($this->data as &$data) {
             if (!empty($data)) {
@@ -229,6 +234,9 @@ public function setName(string $name)
     public function getMetadataBag()
     {
         ++$this->usageIndex;
+        if ($this->usageReporter && 0 <= $this->usageIndex) {
+            ($this->usageReporter)();
+        }
 
         return $this->storage->getMetadataBag();
     }
@@ -238,7 +246,7 @@ public function getMetadataBag()
      */
     public function registerBag(SessionBagInterface $bag)
     {
-        $this->storage->registerBag(new SessionBagProxy($bag, $this->data, $this->usageIndex));
+        $this->storage->registerBag(new SessionBagProxy($bag, $this->data, $this->usageIndex, $this->usageReporter));
     }
 
     /**
 
@@ -21,17 +21,22 @@ final class SessionBagProxy implements SessionBagInterface
     private $bag;
     private $data;
     private $usageIndex;
+    private $usageReporter;
 
-    public function __construct(SessionBagInterface $bag, array &$data, ?int &$<
10000
/span>usageIndex)
+    public function __construct(SessionBagInterface $bag, array &$data, ?int &$usageIndex, ?callable $usageReporter)
     {
         $this->bag = $bag;
         $this->data = &$data;
         $this->usageIndex = &$usageIndex;
+        $this->usageReporter = $usageReporter;
     }
 
     public function getBag(): SessionBagInterface
     {
         ++$this->usageIndex;
+        if ($this->usageReporter && 0 <= $this->usageIndex) {
+            ($this->usageReporter)();
+        }
 
         return $this->bag;
     }
@@ -42,6 +47,9 @@ public function isEmpty(): bool
             return true;
         }
         ++$this->usageIndex;
+        if ($this->usageReporter && 0 <= $this->usageIndex) {
+            ($this->usageReporter)();
+        }
 
         return empty($this->data[$this->bag->getStorageKey()]);
     }
@@ -60,6 +68,10 @@ public function getName(): string
     public function initialize(array &$array): void
     {
         ++$this->usageIndex;
+        if ($this->usageReporter && 0 <= $this->usageIndex) {
+            ($this->usageReporter)();
+        }
+
         $this->data[$this->bag->getStorageKey()] = &$array;
 
         $this->bag->initialize($array);
 
@@ -281,7 +281,7 @@ public function testGetBagWithBagNotImplementingGetBag()
         $bag->setName('foo');
 
         $storage = new MockArraySessionStorage();
-        $storage->registerBag(new SessionBagProxy($bag, $data, $usageIndex));
+        $storage->registerBag(new SessionBagProxy($bag, $data, $usageIndex, null));
 
         $this->assertSame($bag, (new Session($storage))->getBag('foo'));
     }
 
@@ -6,6 +6,7 @@ CHANGELOG
 
  * allowed using public aliases to reference controllers
  * added session usage reporting when the `_stateless` attribute of the request is set to `true`
+ * added `AbstractSessionListener::onSessionUsage()` to report when the session is used while a request is stateless
 
 5.0.0
 -----
 
@@ -146,6 +146,37 @@ public function onFinishRequest(FinishRequestEvent $event)
         }
     }
 
+    public function onSessionUsage(): void
+    {
+        if (!$this->debug) {
+            return;
+        }
+
+        if (!$requestStack = $this->container && $this->container->has('request_stack') ? $this->container->get('request_stack') : null) {
+            return;
+        }
+
+        $stateless = false;
+        $clonedRequestStack = clone $requestStack;
+        while (null !== ($request = $clonedRequestStack->pop()) && !$stateless) {
+            $stateless = $request->attributes->get('_stateless');
+        }
+
+        if (!$stateless) {
+            return;
+        }
+
+        if (!$session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : $requestStack->getCurrentRequest()->getSession()) {
+            return;
+        }
+
+        if ($session->isStarted()) {
+            $session->save();
+        }
+
+        throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.');
+    }
+
     public static function getSubscribedEvents(): array
     {
         return [
 
@@ -244,4 +244,63 @@ public function testSessionIsSavedWhenUnexpectedSessionExceptionThrown()
         $this->expectException(UnexpectedSessionUsageException::class);
         $listener->onKernelResponse(new ResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, $response));
     }
+
+    public function testSessionUsageCallbackWhenDebugAndStateless()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->method('isStarted')->willReturn(true);
+        $session->expects($this->exactly(1))->method('save');
+
+        $requestStack = new RequestStack();
+
+        $request = new Request();
+        $request->attributes->set('_stateless', true);
+
+        $requestStack->push(new Request());
+        $requestStack->push($request);
+        $requestStack->push(new Request());
+
+        $container = new Container();
+        $container->set('initialized_session', $session);
+        $container->set('request_stack', $requestStack);
+
+        $this->expectException(UnexpectedSessionUsageException::class);
+        (new SessionListener($container, true))->onSessionUsage();
+    }
+
+    public function testSessionUsageCallbackWhenNoDebug()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->method('isStarted')->willReturn(true);
+        $session->expects($this->exactly(0))->method('save');
+
+        $request = new Request();
+        $request->attributes->set('_stateless', true);
+
+        $requestStack = $this->getMockBuilder(RequestStack::class)->getMock();
+        $requestStack->expects($this->never())->method('getMasterRequest')->willReturn($request);
+
+        $container = new Container();
+        $container->set('initialized_session', $session);
+        $container->set('request_stack', $requestStack);
+
+        (new SessionListener($container))->onSessionUsage();
+    }
+
+    public function testSessionUsageCallbackWhenNoStateless()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->method('isStarted')->willReturn(true);
+        $session->expects($this->never())->method('save');
+
+        $requestStack = new RequestStack();
+        $requestStack->push(new Request());
+        $requestStack->push(new Request());
+
+        $container = new Container();
+        $container->set('initialized_session', $session);
+        $container->set('request_stack', $requestStack);
+
+        (new SessionListener($container, true))->onSessionUsage();
+    }
 }
@@ -96,11 +96,14 @@ public function authenticate(RequestEvent $event)
 
         if (null !== $session) {
             $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;
+            $usageIndexReference = PHP_INT_MIN;
             $sessionId = $request->cookies->get($session->getName());
             $token = $session->get($this->sessionKey);
 
             if ($this->sessionTrackerEnabler && \in_array($sessionId, [true, $session->getId()], true)) {
                 $usageIndexReference = $usageIndexValue;
+            } else {
+                $usageIndexReference = $usageIndexReference - PHP_INT_MIN + $usageIndexValue;
             }
         }
 
 
@@ -361,6 +361,23 @@ public function testWithPreviousNotStartedSession()
         $this->assertSame($usageIndex, $session->getUsageIndex());
     }
 
+    public function testSessionIsNotReported()
+    {
+        $usageReporter = $this->getMockBuilder(\stdClass::class)->setMethods(['__invoke'])->getMock();
+        $usageReporter->expects($this->never())->method('__invoke');
+
+        $session = new Session(new MockArraySessionStorage(), null, null, $usageReporter);
+
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set('MOCKSESSID', true);
+
+        $tokenStorage = new TokenStorage();
+
+        $listener = new ContextListener($tokenStorage, [], 'context_key', null, null, null, [$tokenStorage, 'getToken']);
+        $listener(new RequestEvent($this->getMockBuilder(HttpKernelInterface::class)->getMock(), $request, HttpKernelInterface::MASTER_REQUEST));
+    }
+
     protected function runSessionOnKernelResponse($newToken, $original = null)
     {
         $session = new Session(new MockArraySessionStorage());
Original file line number	Diff line number	Diff line change
`@@ -35,10 +35,12 @@ class Session implements SessionInterface, \IteratorAggregate, \Countable`
`35`	`35`	`private $attributeName;`
`36`	`36`	`private $data = [];`
`37`	`37`	`private $usageIndex = 0;`
	`38`	`+ private $usageReporter;`
`38`	`39`
`39`		`- public function __construct(SessionStorageInterface $storage = null, AttributeBagInterface $attributes = null, FlashBagInterface $flashes = null)`
	`40`	`+ public function __construct(SessionStorageInterface $storage = null, AttributeBagInterface $attributes = null, FlashBagInterface $flashes = null, callable $usageReporter = null)`
`40`	`41`	`{`
`41`	`42`	`$this->storage = $storage ?: new NativeSessionStorage();`
	`43`	`+ $this->usageReporter = $usageReporter;`
`42`	`44`
`43`	`45`	`$attributes = $attributes ?: new AttributeBag();`
`44`	`46`	`$this->attributeName = $attributes->getName();`
`@@ -153,6 +155,9 @@ public function isEmpty(): bool`
`153`	`155`	`{`
`154`	`156`	`if ($this->isStarted()) {`
`155`	`157`	`++$this->usageIndex;`
	`158`	`+ if ($this->usageReporter && 0 <= $this->usageIndex) {`
	`159`	`+ ($this->usageReporter)();`
	`160`	`+ }`
`156`	`161`	`}`
`157`	`162`	`foreach ($this->data as &$data) {`
`158`	`163`	`if (!empty($data)) {`
`@@ -229,6 +234,9 @@ public function setName(string $name)`
`229`	`234`	`public function getMetadataBag()`
`230`	`235`	`{`
`231`	`236`	`++$this->usageIndex;`
	`237`	`+ if ($this->usageReporter && 0 <= $this->usageIndex) {`
	`238`	`+ ($this->usageReporter)();`
	`239`	`+ }`
`232`	`240`
`233`	`241`	`return $this->storage->getMetadataBag();`
`234`	`242`	`}`
`@@ -238,7 +246,7 @@ public function getMetadataBag()`
`238`	`246`	`*/`
`239`	`247`	`public function registerBag(SessionBagInterface $bag)`
`240`	`248`	`{`
`241`		`- $this->storage->registerBag(new SessionBagProxy($bag, $this->data, $this->usageIndex));`
	`249`	`+ $this->storage->registerBag(new SessionBagProxy($bag, $this->data, $this->usageIndex, $this->usageReporter));`
`242`	`250`	`}`
`243`	`251`
`244`	`252`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -21,17 +21,22 @@ final class SessionBagProxy implements SessionBagInterface`
`21`	`21`	`private $bag;`
`22`	`22`	`private $data;`
`23`	`23`	`private $usageIndex;`
	`24`	`+ private $usageReporter;`
`24`	`25`
`25`		`- public function __construct(SessionBagInterface $bag, array &$data, ?int &$< 10000 /span>usageIndex)`
	`26`	`+ public function __construct(SessionBagInterface $bag, array &$data, ?int &$usageIndex, ?callable $usageReporter)`
`26`	`27`	`{`
`27`	`28`	`$this->bag = $bag;`
`28`	`29`	`$this->data = &$data;`
`29`	`30`	`$this->usageIndex = &$usageIndex;`
	`31`	`+ $this->usageReporter = $usageReporter;`
`30`	`32`	`}`
`31`	`33`
`32`	`34`	`public function getBag(): SessionBagInterface`
`33`	`35`	`{`
`34`	`36`	`++$this->usageIndex;`
	`37`	`+ if ($this->usageReporter && 0 <= $this->usageIndex) {`
	`38`	`+ ($this->usageReporter)();`
	`39`	`+ }`
`35`	`40`
`36`	`41`	`return $this->bag;`
`37`	`42`	`}`
`@@ -42,6 +47,9 @@ public function isEmpty(): bool`
`42`	`47`	`return true;`
`43`	`48`	`}`
`44`	`49`	`++$this->usageIndex;`
	`50`	`+ if ($this->usageReporter && 0 <= $this->usageIndex) {`
	`51`	`+ ($this->usageReporter)();`
	`52`	`+ }`
`45`	`53`
`46`	`54`	`return empty($this->data[$this->bag->getStorageKey()]);`
`47`	`55`	`}`
`@@ -60,6 +68,10 @@ public function getName(): string`
`60`	`68`	`public function initialize(array &$array): void`
`61`	`69`	`{`
`62`	`70`	`++$this->usageIndex;`
	`71`	`+ if ($this->usageReporter && 0 <= $this->usageIndex) {`
	`72`	`+ ($this->usageReporter)();`
	`73`	`+ }`
	`74`	`+`
`63`	`75`	`$this->data[$this->bag->getStorageKey()] = &$array;`
`64`	`76`
`65`	`77`	`$this->bag->initialize($array);`
Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ public function testGetBagWithBagNotImplementingGetBag()`
`281`	`281`	`$bag->setName('foo');`
`282`	`282`
`283`	`283`	`$storage = new MockArraySessionStorage();`
`284`		`- $storage->registerBag(new SessionBagProxy($bag, $data, $usageIndex));`
	`284`	`+ $storage->registerBag(new SessionBagProxy($bag, $data, $usageIndex, null));`
`285`	`285`
`286`	`286`	`$this->assertSame($bag, (new Session($storage))->getBag('foo'));`
`287`	`287`	`}`
Original file line number	Diff line number	Diff line change
`@@ -96,11 +96,14 @@ public function authenticate(RequestEvent $event)`
`96`	`96`
`97`	`97`	`if (null !== $session) {`
`98`	`98`	`$usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;`
	`99`	`+ $usageIndexReference = PHP_INT_MIN;`
`99`	`100`	`$sessionId = $request->cookies->get($session->getName());`
`100`	`101`	`$token = $session->get($this->sessionKey);`
`101`	`102`
`102`	`103`	`if ($this->sessionTrackerEnabler && \in_array($sessionId, [true, $session->getId()], true)) {`
`103`	`104`	`$usageIndexReference = $usageIndexValue;`
	`105`	`+ } else {`
	`106`	`+ $usageIndexReference = $usageIndexReference - PHP_INT_MIN + $usageIndexValue;`
`104`	`107`	`}`
`105`	`108`	`}`
`106`	`109`