vendor/symfony/http-kernel/EventListener/AbstractSessionListener.php line 239

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\HttpKernel\EventListener;
  14. use Psr\Container\ContainerInterface;
  15. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  16. use Symfony\Component\HttpFoundation\Cookie;
  17. use Symfony\Component\HttpFoundation\Session\Session;
  18. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  19. use Symfony\Component\HttpFoundation\Session\SessionUtils;
  20. use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
  21. use Symfony\Component\HttpKernel\Event\RequestEvent;
  22. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  23. use Symfony\Component\HttpKernel\Exception\UnexpectedSessionUsageException;
  24. use Symfony\Component\HttpKernel\KernelEvents;
  25. use Symfony\Contracts\Service\ResetInterface;
  27. /**
  28. * Sets the session onto the request on the "kernel.request" event and saves
  29. * it on the "kernel.response" event.
  30. *
  31. * In addition, if the session has been started it overrides the Cache-Control
  32. * header in such a way that all caching is disabled in that case.
  33. * If you have a scenario where caching responses with session information in
  34. * them makes sense, you can disable this behaviour by setting the header
  35. * AbstractSessionListener::NO_AUTO_CACHE_CONTROL_HEADER on the response.
  36. *
  37. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  38. * @author Tobias Schultze <http://tobion.de>
  39. */
  40. abstract class AbstractSessionListener implements EventSubscriberInterface, ResetInterface
  41. {
  42. public const NO_AUTO_CACHE_CONTROL_HEADER = 'Symfony-Session-NoAutoCacheControl';
  45. /**
  46. * @internal
  47. */
  48. protected $container;
  49. private $sessionUsageStack = [];
  50. private $debug;
  52. /**
  53. * @var array<string, mixed>
  54. */
  55. private $sessionOptions;
  57. /**
  58. * @internal
  59. */
  60. public function __construct(?ContainerInterface $container = null, bool $debug = false, array $sessionOptions = [])
  61. {
  62. $this->container = $container;
  63. $this->debug = $debug;
  64. $this->sessionOptions = $sessionOptions;
  65. }
  67. /**
  68. * @internal
  69. */
  70. public function onKernelRequest(RequestEvent $event)
  71. {
  72. if (!$event->isMainRequest()) {
  73. return;
  74. }
  76. $request = $event->getRequest();
  77. if (!$request->hasSession()) {
  78. // This variable prevents calling `$this->getSession()` twice in case the Request (and the below factory) is cloned
  79. $sess = null;
  80. $request->setSessionFactory(function () use (&$sess, $request) {
  81. if (!$sess) {
  82. $sess = $this->getSession();
  83. $request->setSession($sess);
  85. /*
  86. * For supporting sessions in php runtime with runners like roadrunner or swoole, the session
  87. * cookie needs to be read from the cookie bag and set on the session storage.
  88. *
  89. * Do not set it when a native php session is active.
  90. */
  91. if ($sess && !$sess->isStarted() && \PHP_SESSION_ACTIVE !== session_status()) {
  92. $sessionId = $sess->getId() ?: $request->cookies->get($sess->getName(), '');
  93. $sess->setId($sessionId);
  94. }
  95. }
  97. return $sess;
  98. });
  99. }
  101. $session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : null;
  102. $this->sessionUsageStack[] = $session instanceof Session ? $session->getUsageIndex() : 0;
  103. }
  105. /**
  106. * @internal
  107. */
  108. public function onKernelResponse(ResponseEvent $event)
  109. {
  110. if (!$event->isMainRequest() || (!$this->container->has('initialized_session') && !$event->getRequest()->hasSession())) {
  111. return;
  112. }
  114. $response = $event->getResponse();
  115. $autoCacheControl = !$response->headers->has(self::NO_AUTO_CACHE_CONTROL_HEADER);
  116. // Always remove the internal header if present
  117. $response->headers->remove(self::NO_AUTO_CACHE_CONTROL_HEADER);
  119. if (!$session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : ($event->getRequest()->hasSession() ? $event->getRequest()->getSession() : null)) {
  120. return;
  121. }
  123. if ($session->isStarted()) {
  124. /*
  125. * Saves the session, in case it is still open, before sending the response/headers.
  126. *
  127. * This ensures several things in case the developer did not save the session explicitly:
  128. *
  129. * * If a session save handler without locking is used, it ensures the data is available
  130. * on the next request, e.g. after a redirect. PHPs auto-save at script end via
  131. * session_register_shutdown is executed after fastcgi_finish_request. So in this case
  132. * the data could be missing the next request because it might not be saved the moment
  133. * the new request is processed.
  134. * * A locking save handler (e.g. the native 'files') circumvents concurrency problems like
  135. * the one above. But by saving the session before long-running things in the terminate event,
  136. * we ensure the session is not blocked longer than needed.
  137. * * When regenerating the session ID no locking is involved in PHPs session design. See
  138. * https://bugs.php.net/61470 for a discussion. So in this case, the session must
  139. * be saved anyway before sending the headers with the new session ID. Otherwise session
  140. * data could get lost again for concurrent requests with the new ID. One result could be
  141. * that you get logged out after just logging in.
  142. *
  143. * This listener should be executed as one of the last listeners, so that previous listeners
  144. * can still operate on the open session. This prevents the overhead of restarting it.
  145. * Listeners after closing the session can still work with the session as usual because
  146. * Symfonys session implementation starts the session on demand. So writing to it after
  147. * it is saved will just restart it.
  148. */
  149. $session->save();
  151. /*
  152. * For supporting sessions in php runtime with runners like roadrunner or swoole the session
  153. * cookie need to be written on the response object and should not be written by PHP itself.
  154. */
  155. $sessionName = $session->getName();
  156. $sessionId = $session->getId();
  157. $sessionOptions = $this->getSessionOptions($this->sessionOptions);
  158. $sessionCookiePath = $sessionOptions['cookie_path'] ?? '/';
  159. $sessionCookieDomain = $sessionOptions['cookie_domain'] ?? null;
  160. $sessionCookieSecure = $sessionOptions['cookie_secure'] ?? false;
  161. $sessionCookieHttpOnly = $sessionOptions['cookie_httponly'] ?? true;
  162. $sessionCookieSameSite = $sessionOptions['cookie_samesite'] ?? Cookie::SAMESITE_LAX;
  163. $sessionUseCookies = $sessionOptions['use_cookies'] ?? true;
  165. SessionUtils::popSessionCookie($sessionName, $sessionId);
  167. if ($sessionUseCookies) {
  168. $request = $event->getRequest();
  169. $requestSessionCookieId = $request->cookies->get($sessionName);
  171. $isSessionEmpty = $session->isEmpty() && empty($_SESSION); // checking $_SESSION to keep compatibility with native sessions
  172. if ($requestSessionCookieId && $isSessionEmpty) {
  173. // PHP internally sets the session cookie value to "deleted" when setcookie() is called with empty string $value argument
  174. // which happens in \Symfony\Component\HttpFoundation\Session\Storage\Handler\AbstractSessionHandler::destroy
  175. // when the session gets invalidated (for example on logout) so we must handle this case here too
  176. // otherwise we would send two Set-Cookie headers back with the response
  177. SessionUtils::popSessionCookie($sessionName, 'deleted');
  178. $response->headers->clearCookie(
  179. $sessionName,
  180. $sessionCookiePath,
  181. $sessionCookieDomain,
  182. $sessionCookieSecure,
  183. $sessionCookieHttpOnly,
  184. $sessionCookieSameSite
  185. );
  186. } elseif ($sessionId !== $requestSessionCookieId && !$isSessionEmpty) {
  187. $expire = 0;
  188. $lifetime = $sessionOptions['cookie_lifetime'] ?? null;
  189. if ($lifetime) {
  190. $expire = time() + $lifetime;
  191. }
  193. $response->headers->setCookie(
  194. Cookie::create(
  195. $sessionName,
  196. $sessionId,
  197. $expire,
  198. $sessionCookiePath,
  199. $sessionCookieDomain,
  200. $sessionCookieSecure,
  201. $sessionCookieHttpOnly,
  202. false,
  203. $sessionCookieSameSite
  204. )
  205. );
  206. }
  207. }
  208. }
  210. if ($session instanceof Session ? $session->getUsageIndex() === end($this->sessionUsageStack) : !$session->isStarted()) {
  211. return;
  212. }
  214. if ($autoCacheControl) {
  215. $maxAge = $response->headers->hasCacheControlDirective('public') ? 0 : (int) $response->getMaxAge();
  216. $response
  217. ->setExpires(new \DateTimeImmutable('+'.$maxAge.' seconds'))
  218. ->setPrivate()
  219. ->setMaxAge($maxAge)
  220. ->headers->addCacheControlDirective('must-revalidate');
  221. }
  223. if (!$event->getRequest()->attributes->get('_stateless', false)) {
  224. return;
  225. }
  227. if ($this->debug) {
  228. throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.');
  229. }
  231. if ($this->container->has('logger')) {
  232. $this->container->get('logger')->warning('Session was used while the request was declared stateless.');
  233. }
  234. }
  236. /**
  237. * @internal
  238. */
  239. public function onFinishRequest(FinishRequestEvent $event)
  240. {
  241. if ($event->isMainRequest()) {
  242. array_pop($this->sessionUsageStack);
  243. }
  244. }
  246. /**
  247. * @internal
  248. */
  249. public function onSessionUsage(): void
  250. {
  251. if (!$this->debug) {
  252. return;
  253. }
  255. if ($this->container && $this->container->has('session_collector')) {
  256. $this->container->get('session_collector')();
  257. }
  259. if (!$requestStack = $this->container && $this->container->has('request_stack') ? $this->container->get('request_stack') : null) {
  260. return;
  261. }
  263. $stateless = false;
  264. $clonedRequestStack = clone $requestStack;
  265. while (null !== ($request = $clonedRequestStack->pop()) && !$stateless) {
  266. $stateless = $request->attributes->get('_stateless');
  267. }
  269. if (!$stateless) {
  270. return;
  271. }
  273. if (!$session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : $requestStack->getCurrentRequest()->getSession()) {
  274. return;
  275. }
  277. if ($session->isStarted()) {
  278. $session->save();
  279. }
  281. throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.');
  282. }
  284. /**
  285. * @internal
  286. */
  287. public static function getSubscribedEvents(): array
  288. {
  289. return [
  290. KernelEvents::REQUEST => ['onKernelRequest', 128],
  291. // low priority to come after regular response listeners, but higher than StreamedResponseListener
  292. KernelEvents::RESPONSE => ['onKernelResponse', -1000],
  293. KernelEvents::FINISH_REQUEST => ['onFinishRequest'],
  294. ];
  295. }
  297. /**
  298. * @internal
  299. */
  300. public function reset(): void
  301. {
  302. if (\PHP_SESSION_ACTIVE === session_status()) {
  303. session_abort();
  304. }
  306. session_unset();
  307. $_SESSION = [];
  309. if (!headers_sent()) { // session id can only be reset when no headers were so we check for headers_sent first
  310. session_id('');
  311. }
  312. }
  314. /**
  315. * Gets the session object.
  316. *
  317. * @internal
  318. *
  319. * @return SessionInterface|null
  320. */
  321. abstract protected function getSession();
  323. private function getSessionOptions(array $sessionOptions): array
  324. {
  325. $mergedSessionOptions = [];
  327. foreach (session_get_cookie_params() as $key => $value) {
  328. $mergedSessionOptions['cookie_'.$key] = $value;
  329. }
  331. foreach ($sessionOptions as $key => $value) {
  332. // do the same logic as in the NativeSessionStorage
  333. if ('cookie_secure' === $key && 'auto' === $value) {
  334. continue;
  335. }
  336. $mergedSessionOptions[$key] = $value;
  337. }
  339. return $mergedSessionOptions;
  340. }
  341. }