symfony
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
+2Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
+2Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
+2-2Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
+2-2Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
+25-1Lines changed: 25 additions & 1 deletion b/‎src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
+25-1Lines changed: 25 additions & 1 deletion
diff --git a/‎src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
+2-2Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/EventListener/SessionListener.php
+2-2Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/Exception/UnexpectedSessionUsageException.php
Copy file name to clipboard
+19Lines changed: 19 additions & 0 deletions b/‎src/Symfony/Component/HttpKernel/Exception/UnexpectedSessionUsageException.php
Copy file name to clipboard
+19Lines changed: 19 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
+43Lines changed: 43 additions & 0 deletions b/‎src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Tests/EventListener/SessionListenerTest.php
+43Lines changed: 43 additions & 0 deletions
@@ -66,7 +66,9 @@
             <argument type="service_locator">
                 <argument key="session" type="service" id="session" on-invalid="ignore" />
                 <argument key="initialized_session" type="service" id="session" on-invalid="ignore_uninitialized" />
+                <argument key="logger" type="service" id="logger" on-invalid="ignore" />
             </argument>
+            <argument>%kernel.debug%</argument>
         </service>
 
         <!-- for BC -->
 
@@ -504,7 +504,7 @@ public function testNullSessionHandler()
         $this->assertNull($container->getDefinition('session.storage.native')->getArgument(1));
         $this->assertNull($container->getDefinition('session.storage.php_bridge')->getArgument(0));
 
-        $expected = ['session', 'initialized_session'];
+        $expected = ['session', 'initialized_session', 'logger'];
         $this->assertEquals($expected, array_keys($container->getDefinition('session_listener')->getArgument(0)->getValues()));
     }
 
@@ -1301,7 +1301,7 @@ public function testSessionCookieSecureAuto()
     {
         $container = $this->createContainerFromFile('session_cookie_secure_auto');
 
-        $expected = ['session', 'initialized_session', 'session_storage', 'request_stack'];
+        $expected = ['session', 'initialized_session', 'logger', 'session_storage', 'request_stack'];
         $this->assertEquals($expected, array_keys($container->getDefinition('session_listener')->getArgument(0)->getValues()));
     }
 
 
@@ -18,6 +18,7 @@
 use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
+use Symfony\Component\HttpKernel\Exception\UnexpectedSessionUsageException;
 use Symfony\Component\HttpKernel\KernelEvents;
 
 /**
@@ -40,11 +41,13 @@ abstract class AbstractSessionListener implements EventSubscriberInterface
     const NO_AUTO_CACHE_CONTROL_HEADER = 'Symfony-Session-NoAutoCacheControl';
 
     protected $container;
+    private $debug;
     private $sessionUsageStack = [];
 
-    public function __construct(ContainerInterface $container = null)
+    public function __construct(ContainerInterface $container = null, bool $debug = true)
     {
         $this->container = $container;
+        $this->debug = $debug;
     }
 
     public function onKernelRequest(RequestEvent $event)
@@ -83,6 +86,10 @@ public function onKernelResponse(ResponseEvent $event)
         }
 
         if ($session instanceof Session ? $session->getUsageIndex() !== end($this->sessionUsageStack) : $session->isStarted()) {
+            if ($event->getRequest()->attributes->get('_stateless', false)) {
+                $this->reportUnexpectedSessionUse();
+            }
+
             if ($autoCacheControl) {
                 $response
                     ->setExpires(new \DateTime())
@@ -145,4 +152,21 @@ public static function getSubscribedEvents(): array
      * @return SessionInterface|null A SessionInterface instance or null if no session is available
      */
     abstract protected function getSession();
+
+    /**
+     * Report that the session was unexpectedly used.
+     *
+     * @throws UnexpectedSessionUsageException
+     */
+    private function reportUnexpectedSessionUse(): void
+    {
+        $message = 'Session was used while the request was declared stateless.';
+        if ($this->debug) {
+            throw new UnexpectedSessionUsageException($message);
+        }
+
+        if ($this->container->has('logger')) {
+            $this->container->get('logger')->warning($message);
+        }
+    }
 }
@@ -28,9 +28,9 @@
  */
 class SessionListener extends AbstractSessionListener
 {
-    public function __construct(ContainerInterface $container)
+    public function __construct(ContainerInterface $container, bool $debug = true)
     {
-        $this->container = $container;
+        parent::__construct($container, $debug);
     }
 
     protected function getSession(): ?SessionInterface
 
@@ -0,0 +1,19 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpKernel\Exception;
+
+/**
+ * @author Mathias Arlaud <mathias.arlaud@gmail.com>
+ */
+class UnexpectedSessionUsageException extends \LogicException
+{
+}
@@ -12,6 +12,7 @@
 namespace Symfony\Component\HttpKernel\Tests\EventListener;
 
 use PHPUnit\Framework\TestCase;
+use Psr\Log\LoggerInterface;
 use Symfony\Component\DependencyInjection\Container;
 use Symfony\Component\DependencyInjection\ServiceLocator;
 use Symfony\Component\HttpFoundation\Request;
@@ -24,6 +25,7 @@
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\EventListener\AbstractSessionListener;
 use Symfony\Component\HttpKernel\EventListener\SessionListener;
+use Symfony\Component\HttpKernel\Exception\UnexpectedSessionUsageException;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 
 class SessionListenerTest extends TestCase
@@ -178,4 +180,45 @@ public function testSurrogateMasterRequestIsPublic()
         $this->assertTrue($response->headers->has('Expires'));
         $this->assertLessThanOrEqual((new \DateTime('now', new \DateTimeZone('UTC'))), (new \DateTime($response->headers->get('Expires'))));
     }
+
+    public function testSessionUsageExceptionIfStatelessAndSessionUsed()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->expects($this->exactly(2))->method('getUsageIndex')->will($this->onConsecutiveCalls(0, 1));
+
+        $container = new Container();
+        $container->set('initialized_session', $session);
+
+        $listener = new SessionListener($container, true);
+        $kernel = $this->getMockBuilder(HttpKernelInterface::class)->disableOriginalConstructor()->getMock();
+
+        $request = new Request();
+        $request->attributes->set('_stateless', true);
+        $listener->onKernelRequest(new RequestEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST));
+
+        $this->expectException(UnexpectedSessionUsageException::class);
+        $listener->onKernelResponse(new ResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, new Response()));
+    }
+
+    public function testSessionUsageLogIfStatelessAndSessionUsed()
+    {
+        $session = $this->getMockBuilder(Session::class)->disableOriginalConstructor()->getMock();
+        $session->expects($this->exactly(2))->method('getUsageIndex')->will($this->onConsecutiveCalls(0, 1));
+
+        $logger = $this->getMockBuilder(LoggerInterface::class)->disableOriginalConstructor()->getMock();
+        $logger->expects($this->exactly(1))->method('warning');
+
+        $container = new Container();
+        $container->set('initialized_session', $session);
+        $container->set('logger', $logger);
+
+        $listener = new SessionListener($container, false);
+        $kernel = $this->getMockBuilder(HttpKernelInterface::class)->disableOriginalConstructor()->getMock();
+
+        $request = new Request();
+        $request->attributes->set('_stateless', true);
+        $listener->onKernelRequest(new RequestEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST));
+
+        $listener->onKernelResponse(new ResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, new Response()));
+    }
 }
Original file line number	Diff line number	Diff line change
`@@ -504,7 +504,7 @@ public function testNullSessionHandler()`
`504`	`504`	`$this->assertNull($container->getDefinition('session.storage.native')->getArgument(1));`
`505`	`505`	`$this->assertNull($container->getDefinition('session.storage.php_bridge')->getArgument(0));`
`506`	`506`
`507`		`- $expected = ['session', 'initialized_session'];`
	`507`	`+ $expected = ['session', 'initialized_session', 'logger'];`
`508`	`508`	`$this->assertEquals($expected, array_keys($container->getDefinition('session_listener')->getArgument(0)->getValues()));`
`509`	`509`	`}`
`510`	`510`
`@@ -1301,7 +1301,7 @@ public function testSessionCookieSecureAuto()`
`1301`	`1301`	`{`
`1302`	`1302`	`$container = $this->createContainerFromFile('session_cookie_secure_auto');`
`1303`	`1303`
`1304`		`- $expected = ['session', 'initialized_session', 'session_storage', 'request_stack'];`
	`1304`	`+ $expected = ['session', 'initialized_session', 'logger', 'session_storage', 'request_stack'];`
`1305`	`1305`	`$this->assertEquals($expected, array_keys($container->getDefinition('session_listener')->getArgument(0)->getValues()));`
`1306`	`1306`	`}`
`1307`	`1307`
Original file line number	Diff line number	Diff line change
`@@ -28,9 +28,9 @@`
`28`	`28`	`*/`
`29`	`29`	`class SessionListener extends AbstractSessionListener`
`30`	`30`	`{`
`31`		`- public function __construct(ContainerInterface $container)`
	`31`	`+ public function __construct(ContainerInterface $container, bool $debug = true)`
`32`	`32`	`{`
`33`		`- $this->container = $container;`
	`33`	`+ parent::__construct($container, $debug);`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`protected function getSession(): ?SessionInterface`