bug #44437 [HttpKernel] Fix wrong usage of SessionUtils::popSessionCookie (simonchrz)

derrabus · derrabus · commit cd3dddf58f87 · 2021-12-06T12:44:12.000+01:00
This PR was merged into the 5.4 branch. Discussion ---------- [HttpKernel] Fix wrong usage of SessionUtils::popSessionCookie | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #44434 | License | MIT The function onKernelResponse() removes possible Set-Cookie headers from headers_list by using SessionUtils::popSessionCookie($sessionName, $sessionCookiePath); https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L149 2nd expected parameter of SessionUtils::popSessionCookie function is the sessionId, not the $sessionCookiePath https://github.com/symfony/symfony/blob/v5.4.0/src/Symfony/Component/HttpFoundation/Session/SessionUtils.php#L28 Commits ------- 36b466e use $sessionId instead of $sessionCookiePath on SessionUtils::popSessionCookie call
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
@@ -146,7 +146,7 @@ public function onKernelResponse(ResponseEvent $event)
             $sessionCookieHttpOnly = $this->sessionOptions['cookie_httponly'] ?? true;
             $sessionCookieSameSite = $this->sessionOptions['cookie_samesite'] ?? Cookie::SAMESITE_LAX;
 
-            SessionUtils::popSessionCookie($sessionName, $sessionCookiePath);
+            SessionUtils::popSessionCookie($sessionName, $sessionId);
 
             $request = $event->getRequest();
             $requestSessionCookieId = $request->cookies->get($sessionName);
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
@@ -312,6 +312,7 @@ public function testSessionUsageLogIfStatelessAndSessionUsed()
     public function testSessionIsSavedWhenUnexpectedSessionExceptionThrown()
     {
         $session = $this->createMock(Session::class);
+        $session->expects($this->exactly(1))->method('getId')->willReturn('123456');
         $session->expects($this->exactly(1))->method('getName')->willReturn('PHPSESSID');
         $session->method('isStarted')->willReturn(true);
         $session->expects($this->exactly(2))->method('getUsageIndex')->will($this->onConsecutiveCalls(0, 1));

Original file line number	Diff line number	Diff line change
`@@ -312,6 +312,7 @@ public function testSessionUsageLogIfStatelessAndSessionUsed()`
`312`	`312`	`public function testSessionIsSavedWhenUnexpectedSessionExceptionThrown()`
`313`	`313`	`{`
`314`	`314`	`$session = $this->createMock(Session::class);`
	`315`	`+ $session->expects($this->exactly(1))->method('getId')->willReturn('123456');`
`315`	`316`	`$session->expects($this->exactly(1))->method('getName')->willReturn('PHPSESSID');`
`316`	`317`	`$session->method('isStarted')->willReturn(true);`
`317`	`318`	`$session->expects($this->exactly(2))->method('getUsageIndex')->will($this->onConsecutiveCalls(0, 1));`