8000 [HttpKernel] wrong usage of SessionUtils::popSessionCookie AbstractSessionListener · Issue #44434 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[HttpKernel] wrong usage of SessionUtils::popSessionCookie AbstractSessionListener #44434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
simonchrz opened this issue Dec 3, 2021 · 0 comments
Closed

[HttpKernel] wrong usage of SessionUtils::popSessionCookie AbstractSessionListener #44434

simonchrz opened this issue Dec 3, 2021 · 0 comments
Labels
Bug HttpKernel Status: Needs Review

Comments

@simonchrz
Copy link
Contributor
simonchrz commented Dec 3, 2021
edited
Loading

Symfony version(s) affected

5.4.0

Description

On Kernel reponse we currently get two Set-Cookie header == one generated by php because of a session_start() call and the other one created by the symfony SessionListener. The parent class AbstractSessionListener wants to remove possible other Set-Cookie header by using the SessionUtils::popSessionCookie function. This doesn't works right now because of a wrong function usage == 2nd parameter is not the sessionId as expected.

The function onKernelResponse() removes possible Set-Cookie headers from headers_list by using SessionUtils::popSessionCookie($sessionName, $sessionCookiePath);
https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L149

2nd expected parameter of SessionUtils::popSessionCookie function is the sessionId, not the $sessionCookiePath
https://github.com/symfony/symfony/blob/v5.4.0/src/Symfony/Component/HttpFoundation/Session/SessionUtils.php#L28

How to reproduce

see description

Possible Solution

replace wrong parameter by $sessionId on https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L149

Additional Context

No response
@simonchrz simonchrz added the Bug label Dec 3, 2021
This was referenced Dec 3, 2021
Closed
Merged
derrabus added a commit that referenced this issue Dec 6, 2021
@derrabus
bug #44437 [HttpKernel] Fix wrong usage of SessionUtils::popSessionCo…
cd3dddf 
…okie (simonchrz)

This PR was merged into the 5.4 branch.

Discussion
----------

[HttpKernel] Fix wrong usage of SessionUtils::popSessionCookie

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #44434
| License       | MIT

The function onKernelResponse() removes possible Set-Cookie headers from headers_list by using SessionUtils::popSessionCookie($sessionName, $sessionCookiePath);
https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L149

2nd expected parameter of SessionUtils::popSessionCookie function is the sessionId, not the $sessionCookiePath
https://github.com/symfony/symfony/blob/v5.4.0/src/Symfony/Component/HttpFoundation/Session/SessionUtils.php#L28

Commits
-------

36b466e use $sessionId instead of $sessionCookiePath on SessionUtils::popSessionCookie call
@fabpot fabpot closed this as completed Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpKernel Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #44434
3 participants
@fabpot @simonchrz @carsonbot
0