[Security] Use the session only if it is started when using SameOriginCsrfTokenManager

Thibault G · nicolas-grekas · commit e32d3c2de6d0 · 2025-01-02T18:27:04.000+01:00
diff --git a/SameOriginCsrfTokenManager.php b/SameOriginCsrfTokenManager.php
@@ -207,9 +207,17 @@ public function clearCookies(Request $request, Response $response): void
 
     public function persistStrategy(Request $request): void
     {
-        if ($request->hasSession(true) && $request->attributes->has($this->cookieName)) {
-            $request->getSession()->set($this->cookieName, $request->attributes->get($this->cookieName));
+        if (!$request->attributes->has($this->cookieName)
+            || !$request->hasSession(true)
+            || !($session = $request->getSession())->isStarted()
+        ) {
+            return;
         }
+
+        $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;
+        $usageIndexReference = \PHP_INT_MIN;
+        $session->set($this->cookieName, $request->attributes->get($this->cookieName));
+        $usageIndexReference = $usageIndexValue;
     }
 
     public function onKernelResponse(ResponseEvent $event): void
diff --git a/Tests/SameOriginCsrfTokenManagerTest.php b/Tests/SameOriginCsrfTokenManagerTest.php
@@ -207,9 +207,11 @@ public function testClearCookies()
         $this->assertTrue($response->headers->has('Set-Cookie'));
     }
 
-    public function testPersistStrategyWithSession()
+    public function testPersistStrategyWithStartedSession()
     {
         $session = $this->createMock(Session::class);
+        $session->method('isStarted')->willReturn(true);
+
         $request = new Request();
         $request->setSession($session);
         $request->attributes->set('csrf-token', 2 << 8);
@@ -219,6 +221,19 @@ public function testPersistStrategyWithSession()
         $this->csrfTokenManager->persistStrategy($request);
     }
 
+    public function testPersistStrategyWithSessionNotStarted()
+    {
+        $session = $this->createMock(Session::class);
+
+        $request = new Request();
+        $request->setSession($session);
+        $request->attributes->set('csrf-token', 2 << 8);
+
+        $session->expects($this->never())->method('set');
+
+        $this->csrfTokenManager->persistStrategy($request);
+    }
+
     public function testOnKernelResponse()
     {
         $request = new Request([], [], ['csrf-token' => 2], ['csrf-token_test' => 'csrf-token']);

Original file line number	Diff line number	Diff line change
`@@ -207,9 +207,17 @@ public function clearCookies(Request $request, Response $response): void`
`207`	`207`
`208`	`208`	`public function persistStrategy(Request $request): void`
`209`	`209`	`{`
`210`		`- if ($request->hasSession(true) && $request->attributes->has($this->cookieName)) {`
`211`		`- $request->getSession()->set($this->cookieName, $request->attributes->get($this->cookieName));`
	`210`	`+ if (!$request->attributes->has($this->cookieName)`
	`211`	`+ \|\| !$request->hasSession(true)`
	`212`	`+ \|\| !($session = $request->getSession())->isStarted()`
	`213`	`+ ) {`
	`214`	`+ return;`
`212`	`215`	`}`
	`216`	`+`
	`217`	`+ $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;`
	`218`	`+ $usageIndexReference = \PHP_INT_MIN;`
	`219`	`+ $session->set($this->cookieName, $request->attributes->get($this->cookieName));`
	`220`	`+ $usageIndexReference = $usageIndexValue;`
`213`	`221`	`}`
`214`	`222`
`215`	`223`	`public function onKernelResponse(ResponseEvent $event): void`