bug #47130 [HttpFoundation] Fix invalid ID not regenerated with native PHP file sessions (BrokenSourceCode)

nicolas-grekas · nicolas-grekas · commit 6c0f7da7f023 · 2022-08-01T18:48:08.000+02:00
This PR was squashed before being merged into the 4.4 branch. Discussion ---------- [HttpFoundation] Fix invalid ID not regenerated with native PHP file sessions | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #46993, #47126 | License | MIT Inside the [`SessionHandlerProxy`](https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/Proxy/SessionHandlerProxy.php) class, the code defines `$this->saveHandlerName` to `\ini_get('session.save_handler')` when `$handler` is an instance of [`\SessionHandler`](https://www.php.net/manual/en/class.sessionhandler.php). https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/Proxy/SessionHandlerProxy.php#L24-L25 But inside the [`NativeSessionStorage`](https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php) class, the code create an instance of [`StrictSessionHandler`](https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/StrictSessionHandler.php) that doesn't inherit from [`\SessionHandler`](https://www.php.net/manual/en/class.sessionhandler.php) and is passed to the [`SessionHandlerProxy`](https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/Proxy/SessionHandlerProxy.php) constructor. https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php#L422-L424 Therefore, we could create a `isWrapper()` method inside the [`StrictSessionHandler`](https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/StrictSessionHandler.php) class to check if the wrapped handler is an internal PHP session handler ([`\SessionHandler`](https://www.php.net/manual/en/class.sessionhandler.php)), just like [`AbstractProxy::isWrapper()`](https://github.com/symfony/symfony/blob/818d4dda7de778726123bc6bd49488959d4186e7/src/Symfony/Component/HttpFoundation/Session/Storage/Proxy/AbstractProxy.php#L50). That's the only solution I have in mind right now. Commits ------- 4775c88 [HttpFoundation] Fix invalid ID not regenerated with native PHP file sessions
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/StrictSessionHandler.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/StrictSessionHandler.php
@@ -30,6 +30,16 @@ public function __construct(\SessionHandlerInterface $handler)
         $this->handler = $handler;
     }
 
+    /**
+     * Returns true if this handler wraps an internal PHP session save handler using \SessionHandler.
+     *
+     * @internal
+     */
+    public function isWrapper(): bool
+    {
+        return $this->handler instanceof \SessionHandler;
+    }
+
     /**
      * @return bool
      */
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/Proxy/SessionHandlerProxy.php b/src/Symfony/Component/HttpFoundation/Session/Storage/Proxy/SessionHandlerProxy.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\HttpFoundation\Session\Storage\Proxy;
 
+use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;
+
 /**
  * @author Drak <drak@zikula.org>
  */
@@ -22,7 +24,7 @@ public function __construct(\SessionHandlerInterface $handler)
     {
         $this->handler = $handler;
         $this->wrapper = $handler instanceof \SessionHandler;
-        $this->saveHandlerName = $this->wrapper ? \ini_get('session.save_handler') : 'user';
+        $this->saveHandlerName = $this->wrapper || ($handler instanceof StrictSessionHandler && $handler->isWrapper()) ? \ini_get('session.save_handler') : 'user';
     }
 
     /**
diff --git a/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Proxy/SessionHandlerProxyTest.php b/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Proxy/SessionHandlerProxyTest.php
@@ -12,6 +12,8 @@
 namespace Symfony\Component\HttpFoundation\Tests\Session\Storage\Proxy;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;
+use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
 use Symfony\Component\HttpFoundation\Session\Storage\Proxy\SessionHandlerProxy;
 
 /**
@@ -159,6 +161,23 @@ public function testUpdateTimestamp()
 
         $this->proxy->updateTimestamp('id', 'data');
     }
+
+    /**
+     * @dataProvider provideNativeSessionStorageHandler
+     */
+    public function testNativeSessionStorageSaveHandlerName($handler)
+    {
+        $this->assertSame('files', (new NativeSessionStorage([], $handler))->getSaveHandler()->getSaveHandlerName());
+    }
+
+    public function provideNativeSessionStorageHandler()
+    {
+        return [
+            [new \SessionHandler()],
+            [new StrictSessionHandler(new \SessionHandler())],
+            [new SessionHandlerProxy(new StrictSessionHandler(new \SessionHandler()))],
+        ];
+    }
 }
 
 abstract class TestSessionHandler implements \SessionHandlerInterface, \SessionUpdateTimestampHandlerInterface

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\HttpFoundation\Session\Storage\Proxy;`
`13`	`13`
	`14`	`+use Symfony\Component\HttpFoundation\Session\Storage\Handler\StrictSessionHandler;`
	`15`	`+`
`14`	`16`	`/**`
`15`	`17`	`* @author Drak <drak@zikula.org>`
`16`	`18`	`*/`
`@@ -22,7 +24,7 @@ public function __construct(\SessionHandlerInterface $handler)`
`22`	`24`	`{`
`23`	`25`	`$this->handler = $handler;`
`24`	`26`	`$this->wrapper = $handler instanceof \SessionHandler;`
`25`		`- $this->saveHandlerName = $this->wrapper ? \ini_get('session.save_handler') : 'user';`
	`27`	`+ $this->saveHandlerName = $this->wrapper \|\| ($handler instanceof StrictSessionHandler && $handler->isWrapper()) ? \ini_get('session.save_handler') : 'user';`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/**`