[Security] Fix triggering session tracking from ContextListener

nicolas-grekas · nicolas-grekas · commit 5f16d09578bb · 2025-01-02T18:35:42.000+01:00
diff --git a/Firewall/ContextListener.php b/Firewall/ContextListener.php
@@ -164,6 +164,7 @@ public function onKernelResponse(ResponseEvent $event): void
         $session = $request->getSession();
         $sessionId = $session->getId();
         $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : null;
+        $usageIndexReference = \PHP_INT_MIN;
         $token = $this->tokenStorage->getToken();
 
         if (!$this->trustResolver->isAuthenticated($token)) {
@@ -178,6 +179,8 @@ public function onKernelResponse(ResponseEvent $event): void
 
         if ($this->sessionTrackerEnabler && $session->getId() === $sessionId) {
             $usageIndexReference = $usageIndexValue;
+        } else {
+            $usageIndexReference = $usageIndexReference - \PHP_INT_MIN + $usageIndexValue;
         }
     }
 
diff --git a/Tests/Firewall/ContextListenerTest.php b/Tests/Firewall/ContextListenerTest.php
@@ -323,6 +323,8 @@ public function testSessionIsNotReported()
 
         $listener = new ContextListener($tokenStorage, [], 'context_key', null, null, null, $tokenStorage->getToken(...));
         $listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST));
+
+        $listener->onKernelResponse(new ResponseEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST, new Response()));
     }
 
     public function testOnKernelResponseRemoveListener()

Original file line number	Diff line number	Diff line change
`@@ -164,6 +164,7 @@ public function onKernelResponse(ResponseEvent $event): void`
`164`	`164`	`$session = $request->getSession();`
`165`	`165`	`$sessionId = $session->getId();`
`166`	`166`	`$usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : null;`
	`167`	`+ $usageIndexReference = \PHP_INT_MIN;`
`167`	`168`	`$token = $this->tokenStorage->getToken();`
`168`	`169`
`169`	`170`	`if (!$this->trustResolver->isAuthenticated($token)) {`
`@@ -178,6 +179,8 @@ public function onKernelResponse(ResponseEvent $event): void`
`178`	`179`
`179`	`180`	`if ($this->sessionTrackerEnabler && $session->getId() === $sessionId) {`
`180`	`181`	`$usageIndexReference = $usageIndexValue;`
	`182`	`+ } else {`
	`183`	`+ $usageIndexReference = $usageIndexReference - \PHP_INT_MIN + $usageIndexValue;`
`181`	`184`	`}`
`182`	`185`	`}`
`183`	`186`
Original file line number	Diff line number	Diff line change
`@@ -323,6 +323,8 @@ public function testSessionIsNotReported()`
`323`	`323`
`324`	`324`	`$listener = new ContextListener($tokenStorage, [], 'context_key', null, null, null, $tokenStorage->getToken(...));`
`325`	`325`	`$listener(new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST));`
	`326`	`+`
	`327`	`+ $listener->onKernelResponse(new ResponseEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST, new Response()));`
`326`	`328`	`}`
`327`	`329`
`328`	`330`	`public function testOnKernelResponseRemoveListener()`