symfony · nicolas-grekas · Jan 19, 2023 · Jan 17, 2023
diff --git a/src/Symfony/Component/HttpFoundation/Session/SessionUtils.php b/src/Symfony/Component/HttpFoundation/Session/SessionUtils.php
@@ -25,7 +25,7 @@ final class SessionUtils
      * Finds the session header amongst the headers that are to be sent, removes it, and returns
      * it so the caller can process it further.
      */
-    public static function popSessionCookie(string $sessionName, string $sessionId): ?string
+    public static function popSessionCookie(string $sessionName, #[\SensitiveParameter] string $sessionId): ?string
     {
         $sessionCookie = null;
         $sessionCookiePrefix = sprintf(' %s=', urlencode($sessionName));

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php
@@ -38,21 +38,21 @@ public function open(string $savePath, string $sessionName): bool
         return true;
     }
 
-    abstract protected function doRead(string $sessionId): string;
+    abstract protected function doRead(#[\SensitiveParameter] string $sessionId): string;
 
-    abstract protected function doWrite(string $sessionId, string $data): bool;
+    abstract protected function doWrite(#[\SensitiveParameter] string $sessionId, string $data): bool;
 
-    abstract protected function doDestroy(string $sessionId): bool;
+    abstract protected function doDestroy(#[\SensitiveParameter] string $sessionId): bool;
 
-    public function validateId(string $sessionId): bool
+    public function validateId(#[\SensitiveParameter] string $sessionId): bool
     {
         $this->prefetchData = $this->read($sessionId);
         $this->prefetchId = $sessionId;
 
         return '' !== $this->prefetchData;
     }
 
-    public function read(string $sessionId): string
+    public function read(#[\SensitiveParameter] string $sessionId): string
     {
         if (isset($this->prefetchId)) {
             $prefetchId = $this->prefetchId;
@@ -72,7 +72,7 @@ public function read(string $sessionId): string
         return $data;
     }
 
-    public function write(string $sessionId, string $data): bool
+    public function write(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         // see https://github.com/igbinary/igbinary/issues/146
         $this->igbinaryEmptyData ??= \function_exists('igbinary_serialize') ? igbinary_serialize([]) : '';
@@ -84,7 +84,7 @@ public function write(string $sessionId, string $data): bool
         return $this->doWrite($sessionId, $data);
     }
 
-    public function destroy(string $sessionId): bool
+    public function destroy(#[\SensitiveParameter] string $sessionId): bool
     {
         if (!headers_sent() && filter_var(\ini_get('session.use_cookies'), \FILTER_VALIDATE_BOOL)) {
             if (!isset($this->sessionName)) {

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MarshallingSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MarshallingSessionHandler.php
@@ -37,7 +37,7 @@ public function close(): bool
         return $this->handler->close();
     }
 
-    public function destroy(string $sessionId): bool
+    public function destroy(#[\SensitiveParameter] string $sessionId): bool
     {
         return $this->handler->destroy($sessionId);
     }
@@ -47,12 +47,12 @@ public function gc(int $maxlifetime): int|false
         return $this->handler->gc($maxlifetime);
     }
 
-    public function read(string $sessionId): string
+    public function read(#[\SensitiveParameter] string $sessionId): string
     {
         return $this->marshaller->unmarshall($this->handler->read($sessionId));
     }
 
-    public function write(string $sessionId, string $data): bool
+    public function write(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $failed = [];
         $marshalledData = $this->marshaller->marshall(['data' => $data], $failed);
@@ -64,12 +64,12 @@ public function write(string $sessionId, string $data): bool
         return $this->handler->write($sessionId, $marshalledData['data']);
     }
 
-    public function validateId(string $sessionId): bool
+    public function validateId(#[\SensitiveParameter] string $sessionId): bool
     {
         return $this->handler->validateId($sessionId);
     }
 
-    public function updateTimestamp(string $sessionId, string $data): bool
+    public function updateTimestamp(#[\Sensiti
8000
veParameter] string $sessionId, string $data): bool
     {
         return $this->handler->updateTimestamp($sessionId, $data);
     }

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MemcachedSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MemcachedSessionHandler.php
@@ -59,19 +59,19 @@ public function close(): bool
         return $this->memcached->quit();
     }
 
-    protected function doRead(string $sessionId): string
+    protected function doRead(#[\SensitiveParameter] string $sessionId): string
     {
         return $this->memcached->get($this->prefix.$sessionId) ?: '';
     }
 
-    public function updateTimestamp(string $sessionId, string $data): bool
+    public function updateTimestamp(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $this->memcached->touch($this->prefix.$sessionId, $this->getCompatibleTtl());
 
         return true;
     }
 
-    protected function doWrite(string $sessionId, string $data): bool
+    protected function doWrite(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
10000
         return $this->memcached->set($this->prefix.$sessionId, $data, $this->getCompatibleTtl());
     }
@@ -89,7 +89,7 @@ private function getCompatibleTtl(): int
         return $ttl;
     }
 
-    protected function doDestroy(string $sessionId): bool
+    protected function doDestroy(#[\SensitiveParameter] string $sessionId): bool
     {
         $result = $this->memcached->delete($this->prefix.$sessionId);
 

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MigratingSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MigratingSessionHandler.php
@@ -46,7 +46,7 @@ public function close(): bool
         return $result;
     }
 
-    public function destroy(string $sessionId): bool
+    public function destroy(#[\SensitiveParameter] string $sessionId): bool
     {
         $result = $this->currentHandler->destroy($sessionId);
         $this->writeOnlyHandler->destroy($sessionId);
@@ -70,27 +70,27 @@ public function open(string $savePath, string $sessionName): bool
         return $result;
     }
 
-    public function read(string $sessionId): string
+    public function read(#[\SensitiveParameter] string $sessionId): string
     {
         // No reading from new handler until switch-over
         return $this->currentHandler->read($sessionId);
     }
 
-    public function write(string $sessionId, string $sessionData): bool
+    public function write(#[\SensitiveParameter] string $sessionId, string $sessionData): bool
     {
         $result = $this->currentHandler->write($sessionId, $sessionData);
         $this->writeOnlyHandler->write($sessionId, $sessionData);
 
         return $result;
     }
 
-    public function validateId(string $sessionId): bool
+    public function validateId(#[\SensitiveParameter] string $sessionId): bool
     {
         // No reading from new handler until switch-over
         return $this->currentHandler->validateId($sessionId);
     }
 
-    public function updateTimestamp(string $sessionId, string $sessionData): bool
+    public function updateTimestamp(#[\SensitiveParameter] string $sessionId, string $sessionData): bool
     {
         $result = $this->currentHandler->updateTimestamp($sessionId, $sessionData);
         $this->writeOnlyHandler->updateTimestamp($sessionId, $sessionData);

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MongoDbSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MongoDbSessionHandler.php
@@ -84,7 +84,7 @@ public function close(): bool
         return true;
     }
 
-    protected function doDestroy(string $sessionId): bool
+    protected function doDestroy(#[\SensitiveParameter] string $sessionId): bool
     {
         $this->getCollection()->deleteOne([
             $this->options['id_field'] => $sessionId,
@@ -100,7 +100,7 @@ public function gc(int $maxlifetime): int|false
         ])->getDeletedCount();
     }
 
-    protected function doWrite(string $sessionId, string $data): bool
+    protected function doWrite(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $ttl = ($this->ttl instanceof \Closure ? ($this->ttl)() : $this->ttl) ?? \ini_get('session.gc_maxlifetime');
         $expiry = new UTCDateTime((time() + (int) $ttl) * 1000);
@@ -120,7 +120,7 @@ protected function doWrite(string $sessionId, string $data): bool
         return true;
     }
 
-    public function updateTimestamp(string $sessionId, string $data): bool
+    public function updateTimestamp(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $ttl = ($this->ttl instanceof \Closure ? ($this->ttl)() : $this->ttl) ?? \ini_get('session.gc_maxlifetime');
         $expiry = new UTCDateTime((time() + (int) $ttl) * 1000);
@@ -136,7 +136,7 @@ public function updateTimestamp(string $sessionId, string $data): bool
         return true;
     }
 
-    protected function doRead(string $sessionId): string
+    protected function doRead(#[\SensitiveParameter] string $sessionId): string
     {
         $dbData = $this->getCollection()->findOne([
             $this->options['id_field'] => $sessionId,

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/NullSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/NullSessionHandler.php
@@ -23,27 +23,27 @@ public function close(): bool
         return true;
     }
 
-    public function validateId(string $sessionId): bool
+    public function validateId(#[\SensitiveParameter] string $sessionId): bool
     {
         return true;
     }
 
-    protected function doRead(string $sessionId): string
+    protected function doRead(#[\SensitiveParameter] string $sessionId): string
     {
         return '';
     }
 
-    public function updateTimestamp(string $sessionId, string $data): bool
+    public function updateTimestamp(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         return true;
     }
 
-    protected function doWrite(string $sessionId, string $data): bool
+    protected function doWrite(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         return true;
     }
 
-    protected function doDestroy(string $sessionId): bool
+    protected function doDestroy(#[\SensitiveParameter] string $sessionId): bool
     {
         return true;
     }

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php
@@ -285,7 +285,7 @@ public function open(string $savePath, string $sessionName): bool
         return parent::open($savePath, $sessionName);
     }
 
-    public function read(string $sessionId): string
+    public function read(#[\SensitiveParameter] string $sessionId): string
     {
         try {
             return parent::read($sessionId);
@@ -305,7 +305,7 @@ public function gc(int $maxlifetime): int|false
         return 0;
     }
 
-    protected function doDestroy(string $sessionId): bool
+    protected function doDestroy(#[\SensitiveParameter] string $sessionId): bool
     {
            // delete the record associated with this id
         $sql = "DELETE FROM $this->table WHERE $this->idCol = :id";
@@ -323,7 +323,7 @@ protected function doDestroy(string $sessionId): bool
         return true;
     }
 
-    protected function doWrite(string $sessionId, string $data): bool
+    protected function doWrite(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $maxlifetime = (int) (($this->ttl instanceof \Closure ? ($this->ttl)() : $this->ttl) ?? \ini_get('session.gc_maxlifetime'));
 
@@ -366,7 +366,7 @@ protected function doWrite(string $sessionId, string $data): bool
         return true;
     }
 
-    public function updateTimestamp(string $sessionId, string $data): bool
+    public function updateTimestamp(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $expiry = time() + (int) (($this->ttl instanceof \Closure ? ($this->ttl)() : $this->ttl) ?? \ini_get('session.gc_maxlifetime'));
 
@@ -610,7 +610,7 @@ private function rollback(): void
      * We need to make sure we do not return session data that is already considered garbage according
      * to the session.gc_maxlifetime setting because gc() is called after read() and only sometimes.
      */
-    protected function doRead(string $sessionId): string
+    protected function doRead(#[\SensitiveParameter] string $sessionId): string
     {
         if (self::LOCK_ADVISORY === $this->lockMode) {
             $this->unlockStatements[] = $this->doAdvisoryLock($sessionId);
@@ -681,7 +681,7 @@ protected function doRead(string $sessionId): string
      *       - for oci using DBMS_LOCK.REQUEST
      *       - for sqlsrv using sp_getapplock with LockOwner = Session
      */
-    private function doAdvisoryLock(string $sessionId): \PDOStatement
+    private function doAdvisoryLock(#[\SensitiveParameter] string $sessionId): \PDOStatement
     {
         switch ($this->driver) {
             case 'mysql':
@@ -780,7 +780,7 @@ private function getSelectSql(): string
     /**
      * Returns an insert statement supported by the database for writing session data.
      */
-    private function getInsertStatement(string $sessionId, string $sessionData, int $maxlifetime): \PDOStatement
+    private function getInsertStatement(#[\SensitiveParameter] string $sessionId, string $sessionData, int $maxlifetime): \PDOStatement
     {
         switch ($this->driver) {
             case 'oci':
@@ -807,7 +807,7 @@ private function getInsertStatement(string $sessionId, string $sessionData, int
     /**
      * Returns an update statement supported by the database for writing session data.
      */
-    private function getUpdateStatement(string $sessionId, string $sessionData, int $maxlifetime): \PDOStatement
+    private function getUpdateStatement(#[\SensitiveParameter] string $sessionId, string $sessionData, int $maxlifetime): \PDOStatement
     {
         switch ($this->driver) {
             case 'oci':
@@ -834,7 +834,7 @@ private function getUpdateStatement(string $sessionId, string $sessionData, int
     /**
      * Returns a merge/upsert (i.e. insert or update) statement when supported by the database for writing session data.
      */
-    private function getMergeStatement(string $sessionId, string $data, int $maxlifetime): ?\PDOStatement
+    private function getMergeStatement(#[\SensitiveParameter] string $sessionId, string $data, int $maxlifetime): ?\PDOStatement
     {
         switch (true) {
             case 'mysql' === $this->driver:

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/RedisSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/RedisSessionHandler.php
@@ -50,20 +50,20 @@ public function __construct(
         $this->ttl = $options['ttl'] ?? null;
     }
 
-    protected function doRead(string $sessionId): string
+    protected function doRead(#[\SensitiveParameter] string $sessionId): string
     {
         return $this->redis->get($this->prefix.$sessionId) ?: '';
     }
 
-    protected function doWrite(string $sessionId, string $data): bool
+    protected function doWrite(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $ttl = ($this->ttl instanceof \Closure ? ($this->ttl)() : $this->ttl) ?? \ini_get('session.gc_maxlifetime');
         $result = $this->redis->setEx($this->prefix.$sessionId, (int) $ttl, $data);
 
         return $result && !$result instanceof ErrorInterface;
     }
 
-    protected function doDestroy(string $sessionId): bool
+    protected function doDestroy(#[\SensitiveParameter] string $sessionId): bool
     {
         static $unlink = true;
 
@@ -93,7 +93,7 @@ public function gc(int $maxlifetime): int|false
         return 0;
     }
 
-    public function updateTimestamp(string $sessionId, string $data): bool
+    public function updateTimestamp(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         $ttl = ($this->ttl instanceof \Closure ? ($this->ttl)() : $this->ttl) ?? \ini_get('session.gc_maxlifetime');
 

diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/StrictSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/StrictSessionHandler.php
@@ -47,30 +47,30 @@ public function open(string $savePath, string $sessionName): bool
         return $this->handler->open($savePath, $sessionName);
     }
 
-    protected function doRead(string $sessionId): string
+    protected function doRead(#[\SensitiveParameter] string $sessionId): string
     {
         return $this->handler->read($sessionId);
     }
 
-    public function updateTimestamp(string $sessionId, string $data): bool
+    public function updateTimestamp(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         return $this->write($sessionId, $data);
     }
 
-    protected function doWrite(string $sessionId, string $data): bool
+    protected function doWrite(#[\SensitiveParameter] string $sessionId, string $data): bool
     {
         return $this->handler->write($sessionId, $data);
     }
 
-    public function destroy(string $sessionId): bool
+    public function destroy(#[\SensitiveParameter] string $sessionId): bool
     {
         $this->doDestroy = true;
         $destroyed = parent::destroy($sessionId);
 
         return $this->doDestroy ? $this->doDestroy($sessionId) : $destroyed;
     }
 
-    protected function doDestroy(string $sessionId): bool
+    protected function doDestroy(#[\SensitiveParameter] string $sessionId): bool
     {
         $this->doDestroy = false;