[Request] Let hasPreviousSession take REMEMBERME cookie into account

[rvanlaak]

Problem

The Request::hasPreviousSession check currently does not take the remember-me cookie into account. We show account buttons on our website, but only 5% of the users are logged in (eg. need a session). When users login and enable 'remember me', all is okay for that session, but in case of IS_AUTHENTICATED_REMEMBERED (eg. expired session) the proper buttons aren't shown.

{% if app.request.hasPreviousSession and app.user is not null and is_granted('ROLE_USER') %}
    <a id="adminLink" href="{{ url('admin') }}">...</a>
{% else %}
    <a id="loginLink" href="{{ url('login') }}">...</a>
{% endif %}

Solution

Can be reproduced by removing the PHPSESSID cookie via the developer tools. I think that hasPreviousSession should also take IS_AUTHENTICATED_REMEMBERED into account. Was able to solve this by also checking the cookies for the remember me:

// Symfony\Component\HttpFoundation\Request

public function hasPreviousSession()
{
    // the check for $this->session avoids malicious users trying to fake a session cookie with proper name
    return $this->hasSession() && ($this->cookies->has($this->session->getName()) || $this->cookies->has('REMEMBERME'));
}

As Request is not aware of the configured remember_me cookie name this fix is not the right one.

Discussion

In case not taking the remember_me cookie into account is the right behavior, I think the usage of hasPreviousSession in the following docs should be discussed:

• http://symfony.com/doc/current/cookbook/session/avoid_session_start.html
• http://symfony.com/doc/current/cookbook/session/locale_sticky_session.html

{% if app.request.hasPreviousSession %}

then should be

{% if app.request.session.isStarted() %}

... what also solved the above use case.

[xabbuh]

I don't think this is a bug. A remember me cookie has nothing to do with a session and can not be taken into account in hasPreviousSession().