vendor/symfony/http-kernel/EventListener/AbstractSessionListener.php line 60

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\HttpKernel\EventListener;
  14. use Psr\Container\ContainerInterface;
  15. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  16. use Symfony\Component\HttpFoundation\Cookie;
  17. use Symfony\Component\HttpFoundation\Session\Session;
  18. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  19. use Symfony\Component\HttpFoundation\Session\SessionUtils;
  20. use Symfony\Component\HttpKernel\Event\RequestEvent;
  21. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  22. use Symfony\Component\HttpKernel\Exception\UnexpectedSessionUsageException;
  23. use Symfony\Component\HttpKernel\KernelEvents;
  24. use Symfony\Contracts\Service\ResetInterface;
  26. /**
  27. * Sets the session onto the request on the "kernel.request" event and saves
  28. * it on the "kernel.response" event.
  29. *
  30. * In addition, if the session has been started it overrides the Cache-Control
  31. * header in such a way that all caching is disabled in that case.
  32. * If you have a scenario where caching responses with session information in
  33. * them makes sense, you can disable this behaviour by setting the header
  34. * AbstractSessionListener::NO_AUTO_CACHE_CONTROL_HEADER on the response.
  35. *
  36. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  37. * @author Tobias Schultze <http://tobion.de>
  38. *
  39. * @internal
  40. */
  41. abstract class AbstractSessionListener implements EventSubscriberInterface, ResetInterface
  42. {
  43. public const NO_AUTO_CACHE_CONTROL_HEADER = 'Symfony-Session-NoAutoCacheControl';
  45. protected $container;
  46. private bool $debug;
  48. /**
  49. * @var array<string, mixed>
  50. */
  51. private $sessionOptions;
  53. public function __construct(ContainerInterface $container = null, bool $debug = false, array $sessionOptions = [])
  54. {
  55. $this->container = $container;
  56. $this->debug = $debug;
  57. $this->sessionOptions = $sessionOptions;
  58. }
  60. public function onKernelRequest(RequestEvent $event)
  61. {
  62. if (!$event->isMainRequest()) {
  63. return;
  64. }
  66. $request = $event->getRequest();
  67. if (!$request->hasSession()) {
  68. // This variable prevents calling `$this->getSession()` twice in case the Request (and the below factory) is cloned
  69. $sess = null;
  70. $request->setSessionFactory(function () use (&$sess, $request) {
  71. if (!$sess) {
  72. $sess = $this->getSession();
  74. /*
  75. * For supporting sessions in php runtime with runners like roadrunner or swoole, the session
  76. * cookie needs to be read from the cookie bag and set on the session storage.
  77. *
  78. * Do not set it when a native php session is active.
  79. */
  80. if ($sess && !$sess->isStarted() && \PHP_SESSION_ACTIVE !== session_status()) {
  81. $sessionId = $sess->getId() ?: $request->cookies->get($sess->getName(), '');
  82. $sess->setId($sessionId);
  83. }
  84. }
  86. return $sess;
  87. });
  88. }
  89. }
  91. public function onKernelResponse(ResponseEvent $event)
  92. {
  93. if (!$event->isMainRequest() || (!$this->container->has('initialized_session') && !$event->getRequest()->hasSession())) {
  94. return;
  95. }
  97. $response = $event->getResponse();
  98. $autoCacheControl = !$response->headers->has(self::NO_AUTO_CACHE_CONTROL_HEADER);
  99. // Always remove the internal header if present
  100. $response->headers->remove(self::NO_AUTO_CACHE_CONTROL_HEADER);
  101. if (!$event->getRequest()->hasSession(true)) {
  102. return;
  103. }
  104. $session = $event->getRequest()->getSession();
  106. if ($session->isStarted()) {
  107. /*
  108. * Saves the session, in case it is still open, before sending the response/headers.
  109. *
  110. * This ensures several things in case the developer did not save the session explicitly:
  111. *
  112. * * If a session save handler without locking is used, it ensures the data is available
  113. * on the next request, e.g. after a redirect. PHPs auto-save at script end via
  114. * session_register_shutdown is executed after fastcgi_finish_request. So in this case
  115. * the data could be missing the next request because it might not be saved the moment
  116. * the new request is processed.
  117. * * A locking save handler (e.g. the native 'files') circumvents concurrency problems like
  118. * the one above. But by saving the session before long-running things in the terminate event,
  119. * we ensure the session is not blocked longer than needed.
  120. * * When regenerating the session ID no locking is involved in PHPs session design. See
  121. * https://bugs.php.net/61470 for a discussion. So in this case, the session must
  122. * be saved anyway before sending the headers with the new session ID. Otherwise session
  123. * data could get lost again for concurrent requests with the new ID. One result could be
  124. * that you get logged out after just logging in.
  125. *
  126. * This listener should be executed as one of the last listeners, so that previous listeners
  127. * can still operate on the open session. This prevents the overhead of restarting it.
  128. * Listeners after closing the session can still work with the session as usual because
  129. * Symfonys session implementation starts the session on demand. So writing to it after
  130. * it is saved will just restart it.
  131. */
  132. $session->save();
  134. /*
  135. * For supporting sessions in php runtime with runners like roadrunner or swoole the session
  136. * cookie need to be written on the response object and should not be written by PHP itself.
  137. */
  138. $sessionName = $session->getName();
  139. $sessionId = $session->getId();
  140. $sessionOptions = $this->getSessionOptions($this->sessionOptions);
  141. $sessionCookiePath = $sessionOptions['cookie_path'] ?? '/';
  142. $sessionCookieDomain = $sessionOptions['cookie_domain'] ?? null;
  143. $sessionCookieSecure = $sessionOptions['cookie_secure'] ?? false;
  144. $sessionCookieHttpOnly = $sessionOptions['cookie_httponly'] ?? true;
  145. $sessionCookieSameSite = $sessionOptions['cookie_samesite'] ?? Cookie::SAMESITE_LAX;
  146. $sessionUseCookies = $sessionOptions['use_cookies'] ?? true;
  148. SessionUtils::popSessionCookie($sessionName, $sessionId);
  150. if ($sessionUseCookies) {
  151. $request = $event->getRequest();
  152. $requestSessionCookieId = $request->cookies->get($sessionName);
  154. $isSessionEmpty = ($session instanceof Session ? $session->isEmpty() : empty($session->all())) && empty($_SESSION); // checking $_SESSION to keep compatibility with native sessions
  155. if ($requestSessionCookieId && $isSessionEmpty) {
  156. // PHP internally sets the session cookie value to "deleted" when setcookie() is called with empty string $value argument
  157. // which happens in \Symfony\Component\HttpFoundation\Session\Storage\Handler\AbstractSessionHandler::destroy
  158. // when the session gets invalidated (for example on logout) so we must handle this case here too
  159. // otherwise we would send two Set-Cookie headers back with the response
  160. SessionUtils::popSessionCookie($sessionName, 'deleted');
  161. $response->headers->clearCookie(
  162. $sessionName,
  163. $sessionCookiePath,
  164. $sessionCookieDomain,
  165. $sessionCookieSecure,
  166. $sessionCookieHttpOnly,
  167. $sessionCookieSameSite
  168. );
  169. } elseif ($sessionId !== $requestSessionCookieId && !$isSessionEmpty) {
  170. $expire = 0;
  171. $lifetime = $sessionOptions['cookie_lifetime'] ?? null;
  172. if ($lifetime) {
  173. $expire = time() + $lifetime;
  174. }
  176. $response->headers->setCookie(
  177. Cookie::create(
  178. $sessionName,
  179. $sessionId,
  180. $expire,
  181. $sessionCookiePath,
  182. $sessionCookieDomain,
  183. $sessionCookieSecure,
  184. $sessionCookieHttpOnly,
  185. false,
  186. $sessionCookieSameSite
  187. )
  188. );
  189. }
  190. }
  191. }
  193. if ($session instanceof Session ? 0 === $session->getUsageIndex() : !$session->isStarted()) {
  194. return;
  195. }
  197. if ($autoCacheControl) {
  198. $maxAge = $response->headers->hasCacheControlDirective('public') ? 0 : (int) $response->getMaxAge();
  199. $response
  200. ->setExpires(new \DateTimeImmutable('+'.$maxAge.' seconds'))
  201. ->setPrivate()
  202. ->setMaxAge($maxAge)
  203. ->headers->addCacheControlDirective('must-revalidate');
  204. }
  206. if (!$event->getRequest()->attributes->get('_stateless', false)) {
  207. return;
  208. }
  210. if ($this->debug) {
  211. throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.');
  212. }
  214. if ($this->container->has('logger')) {
  215. $this->container->get('logger')->warning('Session was used while the request was declared stateless.');
  216. }
  217. }
  219. public function onSessionUsage(): void
  220. {
  221. if (!$this->debug) {
  222. return;
  223. }
  225. if ($this->container && $this->container->has('session_collector')) {
  226. $this->container->get('session_collector')();
  227. }
  229. if (!$requestStack = $this->container && $this->container->has('request_stack') ? $this->container->get('request_stack') : null) {
  230. return;
  231. }
  233. $stateless = false;
  234. $clonedRequestStack = clone $requestStack;
  235. while (null !== ($request = $clonedRequestStack->pop()) && !$stateless) {
  236. $stateless = $request->attributes->get('_stateless');
  237. }
  239. if (!$stateless) {
  240. return;
  241. }
  243. if (!$session = $requestStack->getCurrentRequest()->getSession()) {
  244. return;
  245. }
  247. if ($session->isStarted()) {
  248. $session->save();
  249. }
  251. throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.');
  252. }
  254. public static function getSubscribedEvents(): array
  255. {
  256. return [
  257. KernelEvents::REQUEST => ['onKernelRequest', 128],
  258. // low priority to come after regular response listeners, but higher than StreamedResponseListener
  259. KernelEvents::RESPONSE => ['onKernelResponse', -1000],
  260. ];
  261. }
  263. public function reset(): void
  264. {
  265. if (\PHP_SESSION_ACTIVE === session_status()) {
  266. session_abort();
  267. }
  269. session_unset();
  270. $_SESSION = [];
  272. if (!headers_sent()) { // session id can only be reset when no headers were so we check for headers_sent first
  273. session_id('');
  274. }
  275. }
  277. /**
  278. * Gets the session object.
  279. */
  280. abstract protected function getSession(): ?SessionInterface;
  282. private function getSessionOptions(array $sessionOptions): array
  283. {
  284. $mergedSessionOptions = [];
  286. foreach (session_get_cookie_params() as $key => $value) {
  287. $mergedSessionOptions['cookie_'.$key] = $value;
  288. }
  290. foreach ($sessionOptions as $key => $value) {
  291. // do the same logic as in the NativeSessionStorage
  292. if ('cookie_secure' === $key && 'auto' === $value) {
  293. continue;
  294. }
  295. $mergedSessionOptions[$key] = $value;
  296. }
  298. return $mergedSessionOptions;
  299. }
  300. }