Description
Symfony version(s) affected
4.4.41
Description
The $event->getRequest()->getSession() call inSymfony\Component\HttpKernel\EventListener\AbstractSessionListener.php:77 can trigger SessionNotFoundException when the request has no session.
This issue was already fixed in newer versions, see in "Possible Solution" section and should be also implemented in 4.4.
How to reproduce
The problem appears in my Symfony project which uses symfony/http-kernel 4.4.41 and symfony/http-foundation 5.4.8 in combination with the the nelmio/cors-bundle 2.2.0.
When CORS is configured the Browser performs a preflight OPTIONS request (which never can send cookies by design) before the real POST request. The CorsListener of the bundle handles the preflight request properly but later somehow in the onKernelResponse() method of the SessionListener a SessionNotFoundException is triggered because the request has no session.
I tried to build a minimal reproducer with the Symfony 4.4 out-of-the-box security and session handling, but the problem appears only in my real project, which has a customized session handling that I cannot include in a minimal reproducer.
Possible Solution
The issue was already fixed in the AbstractSessionListener of symfony/http-kernel > 5.3, see: 7abddd0
The minimal fix for the issue seems to be just checking for $event->getRequest()->hasSession() before performing $event->getRequest()->getSession() in onKernelResponse() of AbstractSessionListener:
if (!$session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : $event->getRequest()->getSession()) {
return;
}
to
if (!$session = $this->container && $this->container->has('initialized_session') ? $this->container->get('initialized_session') : ($event->getRequest()->hasSession() ? $event->getRequest()->getSession() : null)) {
return;
}
Additional Context
SessionNotFoundException
Symfony\Component\HttpFoundation\Exception\SessionNotFoundException:
Session has not been set.
at vendor/symfony/http-foundation/Request.php:739
at Symfony\Component\HttpFoundation\Request->getSession()
(vendor/symfony/http-kernel/EventListener/AbstractSessionListener.php:77)
at Symfony\Component\HttpKernel\EventListener\AbstractSessionListener->onKernelResponse()
(vendor/symfony/event-dispatcher/Debug/WrappedListener.php:126)
at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
(vendor/symfony/event-dispatcher/EventDispatcher.php:264)
at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch()
(vendor/symfony/event-dispatcher/EventDispatcher.php:239)
at Symfony\Component\EventDispatcher\EventDispatcher->callListeners()
(vendor/symfony/event-dispatcher/EventDispatcher.php:73)
at Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
(vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php:168)
at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch()
(vendor/symfony/http-kernel/HttpKernel.php:191)
at Symfony\Component\HttpKernel\HttpKernel->filterResponse()
(vendor/symfony/http-kernel/HttpKernel.php:137)
at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
(vendor/symfony/http-kernel/HttpKernel.php:80)
at Symfony\Component\HttpKernel\HttpKernel->handle()
(vendor/symfony/http-kernel/Kernel.php:201)
at Symfony\Component\HttpKernel\Kernel->handle()
(public/index.php:28)