vendor/symfony/http-kernel/EventListener/AbstractSessionListener.php line 225

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\HttpKernel\EventListener;
  14. use Psr\Container\ContainerInterface;
  15. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  16. use Symfony\Component\HttpFoundation\Cookie;
  17. use Symfony\Component\HttpFoundation\Session\Session;
  18. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  19. use Symfony\Component\HttpFoundation\Session\SessionUtils;
  20. use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
  21. use Symfony\Component\HttpKernel\Event\RequestEvent;
  22. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  23. use Symfony\Component\HttpKernel\Exception\UnexpectedSessionUsageException;
  24. use Symfony\Component\HttpKernel\KernelEvents;
  25. use Symfony\Contracts\Service\ResetInterface;
  27. /**
  28. * Sets the session onto the request on the "kernel.request" event and saves
  29. * it on the "kernel.response" event.
  30. *
  31. * In addition, if the session has been started it overrides the Cache-Control
  32. * header in such a way that all caching is disabled in that case.
  33. * If you have a scenario where caching responses with session information in
  34. * them makes sense, you can disable this behaviour by setting the header
  35. * AbstractSessionListener::NO_AUTO_CACHE_CONTROL_HEADER on the response.
  36. *
  37. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  38. * @author Tobias Schultze <http://tobion.de>
  39. *
  40. * @internal
  41. */
  42. abstract class AbstractSessionListener implements EventSubscriberInterface, ResetInterface
  43. {
  44. public const NO_AUTO_CACHE_CONTROL_HEADER = 'Symfony-Session-NoAutoCacheControl';
  46. protected $container;
  47. private $sessionUsageStack = [];
  48. private $debug;
  50. /**
  51. * @var array<string, mixed>
  52. */
  53. private $sessionOptions;
  55. public function __construct(ContainerInterface $container = null, bool $debug = false, array $sessionOptions = [])
  56. {
  57. $this->container = $container;
  58. $this->debug = $debug;
  59. $this->sessionOptions = $sessionOptions;
  60. }
  62. public function onKernelRequest(RequestEvent $event)
  63. {
  64. if (!$event->isMainRequest()) {
  65. return;
  66. }
  68. $request = $event->getRequest();
  69. if (!$request->hasSession()) {
  70. // This variable prevents calling `$this->getSession()` twice in case the Request (and the below factory) is cloned
  71. $sess = null;
  72. $request->setSessionFactory(function () use (&$sess, $request) {
  73. if (!$sess) {
  74. $sess = $this->getSession();
  75. $request->setSession($sess);
  77. /*
  78. * For supporting sessions in php runtime with runners like roadrunner or swoole, the session
  79. * cookie needs to be read from the cookie bag and set on the session storage.
  80. *
  81. * Do not set it when a native php session is active.
  82. */
  83. if ($sess && !$sess->isStarted() && \PHP_SESSION_ACTIVE !== session_status()) {
  84. $sessionId = $sess->getId() ?: $request->cookies->get($sess->getName(), '');
  85. $sess->setId($sessionId);
  86. }
  87. }
  89. return $sess;
  90. });
  91. }
  93. $session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : null;
  94. $this->sessionUsageStack[] = $session instanceof Session ? $session->getUsageIndex() : 0;
  95. }
  97. public function onKernelResponse(ResponseEvent $event)
  98. {
  99. if (!$event->isMainRequest() || (!$this->container->has('initialized_session') && !$event->getRequest()->hasSession())) {
  100. return;
  101. }
  103. $response = $event->getResponse();
  104. $autoCacheControl = !$response->headers->has(self::NO_AUTO_CACHE_CONTROL_HEADER);
  105. // Always remove the internal header if present
  106. $response->headers->remove(self::NO_AUTO_CACHE_CONTROL_HEADER);
  108. if (!$session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : ($event->getRequest()->hasSession() ? $event->getRequest()->getSession() : null)) {
  109. return;
  110. }
  112. if ($session->isStarted()) {
  113. /*
  114. * Saves the session, in case it is still open, before sending the response/headers.
  115. *
  116. * This ensures several things in case the developer did not save the session explicitly:
  117. *
  118. * * If a session save handler without locking is used, it ensures the data is available
  119. * on the next request, e.g. after a redirect. PHPs auto-save at script end via
  120. * session_register_shutdown is executed after fastcgi_finish_request. So in this case
  121. * the data could be missing the next request because it might not be saved the moment
  122. * the new request is processed.
  123. * * A locking save handler (e.g. the native 'files') circumvents concurrency problems like
  124. * the one above. But by saving the session before long-running things in the terminate event,
  125. * we ensure the session is not blocked longer than needed.
  126. * * When regenerating the session ID no locking is involved in PHPs session design. See
  127. * https://bugs.php.net/61470 for a discussion. So in this case, the session must
  128. * be saved anyway before sending the headers with the new session ID. Otherwise session
  129. * data could get lost again for concurrent requests with the new ID. One result could be
  130. * that you get logged out after just logging in.
  131. *
  132. * This listener should be executed as one of the last listeners, so that previous listeners
  133. * can still operate on the open session. This prevents the overhead of restarting it.
  134. * Listeners after closing the session can still work with the session as usual because
  135. * Symfonys session implementation starts the session on demand. So writing to it after
  136. * it is saved will just restart it.
  137. */
  138. $session->save();
  140. /*
  141. * For supporting sessions in php runtime with runners like roadrunner or swoole the session
  142. * cookie need to be written on the response object and should not be written by PHP itself.
  143. */
  144. $sessionName = $session->getName();
  145. $sessionId = $session->getId();
  146. $sessionOptions = $this->getSessionOptions($this->sessionOptions);
  147. $sessionCookiePath = $sessionOptions['cookie_path'] ?? '/';
  148. $sessionCookieDomain = $sessionOptions['cookie_domain'] ?? null;
  149. $sessionCookieSecure = $sessionOptions['cookie_secure'] ?? false;
  150. $sessionCookieHttpOnly = $sessionOptions['cookie_httponly'] ?? true;
  151. $sessionCookieSameSite = $sessionOptions['cookie_samesite'] ?? Cookie::SAMESITE_LAX;
  152. $sessionUseCookies = $sessionOptions['use_cookies'] ?? true;
  154. SessionUtils::popSessionCookie($sessionName, $sessionId);
  156. if ($sessionUseCookies) {
  157. $request = $event->getRequest();
  158. $requestSessionCookieId = $request->cookies->get($sessionName);
  160. $isSessionEmpty = $session->isEmpty() && empty($_SESSION); // checking $_SESSION to keep compatibility with native sessions
  161. if ($requestSessionCookieId && $isSessionEmpty) {
  162. // PHP internally sets the session cookie value to "deleted" when setcookie() is called with empty string $value argument
  163. // which happens in \Symfony\Component\HttpFoundation\Session\Storage\Handler\AbstractSessionHandler::destroy
  164. // when the session gets invalidated (for example on logout) so we must handle this case here too
  165. // otherwise we would send two Set-Cookie headers back with the response
  166. SessionUtils::popSessionCookie($sessionName, 'deleted');
  167. $response->headers->clearCookie(
  168. $sessionName,
  169. $sessionCookiePath,
  170. $sessionCookieDomain,
  171. $sessionCookieSecure,
  172. $sessionCookieHttpOnly,
  173. $sessionCookieSameSite
  174. );
  175. } elseif ($sessionId !== $requestSessionCookieId && !$isSessionEmpty) {
  176. $expire = 0;
  177. $lifetime = $sessionOptions['cookie_lifetime'] ?? null;
  178. if ($lifetime) {
  179. $expire = time() + $lifetime;
  180. }
  182. $response->headers->setCookie(
  183. Cookie::create(
  184. $sessionName,
  185. $sessionId,
  186. $expire,
  187. $sessionCookiePath,
  188. $sessionCookieDomain,
  189. $sessionCookieSecure,
  190. $sessionCookieHttpOnly,
  191. false,
  192. $sessionCookieSameSite
  193. )
  194. );
  195. }
  196. }
  197. }
  199. if ($session instanceof Session ? $session->getUsageIndex() === end($this->sessionUsageStack) : !$session->isStarted()) {
  200. return;
  201. }
  203. if ($autoCacheControl) {
  204. $maxAge = $response->headers->hasCacheControlDirective('public') ? 0 : (int) $response->getMaxAge();
  205. $response
  206. ->setExpires(new \DateTimeImmutable('+'.$maxAge.' seconds'))
  207. ->setPrivate()
  208. ->setMaxAge($maxAge)
  209. ->headers->addCacheControlDirective('must-revalidate');
  210. }
  212. if (!$event->getRequest()->attributes->get('_stateless', false)) {
  213. return;
  214. }
  216. if ($this->debug) {
  217. throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.');
  218. }
  220. if ($this->container->has('logger')) {
  221. $this->container->get('logger')->warning('Session was used while the request was declared stateless.');
  222. }
  223. }
  225. public function onFinishRequest(FinishRequestEvent $event)
  226. {
  227. if ($event->isMainRequest()) {
  228. array_pop($this->sessionUsageStack);
  229. }
  230. }
  232. public function onSessionUsage(): void
  233. {
  234. if (!$this->debug) {
  235. return;
  236. }
  238. if ($this->container && $this->container->has('session_collector')) {
  239. $this->container->get('session_collector')();
  240. }
  242. if (!$requestStack = $this->container && $this->container->has('request_stack') ? $this->container->get('request_stack') : null) {
  243. return;
  244. }
  246. $stateless = false;
  247. $clonedRequestStack = clone $requestStack;
  248. while (null !== ($request = $clonedRequestStack->pop()) && !$stateless) {
  249. $stateless = $request->attributes->get('_stateless');
  250. }
  252. if (!$stateless) {
  253. return;
  254. }
  256. if (!$session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : $requestStack->getCurrentRequest()->getSession()) {
  257. return;
  258. }
  260. if ($session->isStarted()) {
  261. $session->save();
  262. }
  264. throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.');
  265. }
  267. public static function getSubscribedEvents(): array
  268. {
  269. return [
  270. KernelEvents::REQUEST => ['onKernelRequest', 128],
  271. // low priority to come after regular response listeners, but higher than StreamedResponseListener
  272. KernelEvents::RESPONSE => ['onKernelResponse', -1000],
  273. KernelEvents::FINISH_REQUEST => ['onFinishRequest'],
  274. ];
  275. }
  277. public function reset(): void
  278. {
  279. if (\PHP_SESSION_ACTIVE === session_status()) {
  280. session_abort();
  281. }
  283. session_unset();
  284. $_SESSION = [];
  286. if (!headers_sent()) { // session id can only be reset when no headers were so we check for headers_sent first
  287. session_id('');
  288. }
  289. }
  291. /**
  292. * Gets the session object.
  293. *
  294. * @return SessionInterface|null
  295. */
  296. abstract protected function getSession();
  298. private function getSessionOptions(array $sessionOptions): array
  299. {
  300. $mergedSessionOptions = [];
  302. foreach (session_get_cookie_params() as $key => $value) {
  303. $mergedSessionOptions['cookie_'.$key] = $value;
  304. }
  306. foreach ($sessionOptions as $key => $value) {
  307. // do the same logic as in the NativeSessionStorage
  308. if ('cookie_secure' === $key && 'auto' === $value) {
  309. continue;
  310. }
  311. $mergedSessionOptions[$key] = $value;
  312. }
  314. return $mergedSessionOptions;
  315. }
  316. }