cleanup anonymous request matcher

FriendsOfSymfony · Mar 23, 2018 · d66a379 · d66a379
1 parent 12dd32e
commit d66a379
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,43 @@
 Changelog
 =========
 
+1.3.13
+------
+
+* Symfony HttpCache User Context: Move the AnonymousRequestMatcher to FOSHttpCache.
+  The default user_identifier_headers are now 'Authorization', 'HTTP_AUTHORIZATION' and
+  'PHP_AUTH_USER' as when using the FOSHttpCache library stand-alone.
+
+  The recommended way to ignore cookie based sessions is to set `session_name_prefix` to
+  false rather than omit the Cookie header from `user_identifier_headers`.
+
+  If the `Cookie` header is in the list of `user_identifier_headers`, any cookie will make
+  the request not anonymous.
+
+1.3.12
+------
+
+* Prevent potential accidental caching on user context hash mismatch (particularly with symfony HttpCache).
+
+1.3.11
+------
+
+* #395 : Compatibility with SensioFrameworkExtraBundle 4.
+
+1.3.10
+------
+
+* Avoid calling deprecated method in Symfony 3.2.
+
+1.3.9
+-----
+
+* Fix configuration handling when only custom proxy client is configured.
+
+1.3.8
+-----
+
+* Do not sanity check hash on anonymous requests.
 
 1.3.7
 -----

diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -646,16 +646,14 @@ private function addUserContextListenerSection(ArrayNodeDefinition $rootNode)
                         ->end()
                         ->arrayNode('user_identifier_headers')
                             ->prototype('scalar')->end()
-                            ->defaultValue(array('Authorization', 'HTTP_AUTHORIZATION', 'PHP_AUTH_USER'))
-                            ->info('List of headers that contains the unique identifier for the user in the hash request.')
+                            ->info('List of headers that contain the unique identifier for the user in the hash request.')
                         ->end()
                         ->scalarNode('user_hash_header')
                             ->defaultValue('X-User-Context-Hash')
                             ->info('Name of the header that contains the hash information for the context.')
                         ->end()
                         ->scalarNode('session_name_prefix')
-                            ->defaultValue('PHPSESSID')
-                            ->info('Prefix for session cookies. Must match your PHP session configuration.')
+                            ->info('Prefix for session cookies. Must match your PHP session configuration. Set to false to ignore cookies in user context.')
                         ->end()
                         ->booleanNode('role_provider')
                             ->defaultFalse()

diff --git a/DependencyInjection/FOSHttpCacheExtension.php b/DependencyInjection/FOSHttpCacheExtension.php
@@ -192,6 +192,7 @@ private function loadUserContext(ContainerBuilder $container, XmlFileLoader $loa
             ->replaceArgument(0, $config['match']['accept'])
             ->replaceArgument(1, $config['match']['method']);
 
+
         $container->getDefinition($this->getAlias().'.event_listener.user_context')
             ->replaceArgument(0, new Reference($config['match']['matcher_service']))
             ->replaceArgument(2, $config['user_identifier_headers'])
@@ -202,6 +203,11 @@ private function loadUserContext(ContainerBuilder $container, XmlFileLoader $loa
             'user_identifier_headers' => $config['user_identifier_headers'],
             'session_name_prefix' => $config['session_name_prefix'],
         );
+        if (null === $config['session_name_prefix']
+            && !in_array('Cookie', $config['user_identifier_headers'])
+        ) {
+            $options['session_name_prefix'] = false;
+        }
         $container->getDefinition($this->getAlias().'.user_context.anonymous_request_matcher')
             ->replaceArgument(0, $options);
 

diff --git a/EventListener/UserContextSubscriber.php b/EventListener/UserContextSubscriber.php
@@ -165,12 +165,12 @@ public function onKernelResponse(FilterResponseEvent $event)
 
         if ($request->headers->has($this->hashHeader)) {
             // hash has changed, session has most certainly changed, prevent setting incorrect cache
-            if (!is_null($this->hash) && $this->hash !== $request->headers->get($this->hashHeader)) {
-                $response->setCache([
+            if (null !== $this->hash && $this->hash !== $request->headers->get($this->hashHeader)) {
+                $response->setCache(array(
                     'max_age' => 0,
                     's_maxage' => 0,
                     'private' => true,
-                ]);
+                ));
                 $response->headers->addCacheControlDirective('no-cache');
                 $response->headers->addCacheControlDirective('no-store');
 

diff --git a/composer.json b/composer.json
@@ -22,7 +22,7 @@
     ],
     "require": {
         "php": ">=5.3.3",
-        "friendsofsymfony/http-cache": "~1.4",
+        "friendsofsymfony/http-cache": "^1.4.5",
         "symfony/framework-bundle": "^2.3||^3.0"
     },
     "require-dev": {