Symfony version(s) affected

5.4, 6.x

Description

When a response is marked as cacheable by a private cache, AbstractSessionListener will still override it with a max-age of 0 in case the session is used. This makes it impossible to have private cache when using stateful authentication (except by disabling the auto cache control).
Forcing the response to be private makes sense in AbstractSessionListener (as the response depends on the session), but it should respect an existing private cache control

How to reproduce

Create a controller using authentication and returning a Response with ->setPrivate() and setMaxAge(180). Look at the headers in the devtool (not in the Symfony profiler as it collects headers before AbstractSessionListener runs).

Possible Solution

No response

Additional Context

No response