SessionBagProxy::initialize() must be of the type array, string given

[mynameisbogdan]

Symfony version(s) affected: v4.3.4, 4.4.x-dev

Description
When _sf2_attributes or _sf2_meta is set to a string the following error occurs:
Argument 1 passed to Symfony\Component\HttpFoundation\Session\SessionBagProxy::initialize() must be of the type array, string given, called in vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php on line 460

To force the reproduction I used $_SESSION['_sf2_attributes'] = '';, but it seems to happen when the session expires too.

How to reproduce

<?php

use App\Kernel;
use Symfony\Component\HttpFoundation\Request;

require dirname(__DIR__) . '/../config/bootstrap.php';

session_start();
$_SESSION['_sf2_attributes'] = '';

$kernel = new Kernel($_SERVER['APP_ENV'], (bool)$_SERVER['APP_DEBUG']);
$request = Request::createFromGlobals();

$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);

Possible Solution
Updating NativeSessionStorage::loadSession to check first if is an array?

- $session[$key] = isset($session[$key]) ? $session[$key] : [];
+ $session[$key] = isset($session[$key]) && \is_array($session[$key]) ? $session[$key] : [];

[nicolas-grekas]

To force the reproduction I used $_SESSION['_sf2_attributes'] = '';

to me, we don't need to support this use case

it seems to happen when the session expires too.

I suppose that's when you hint the issue? Can you give more details? How can we reproduce it?

[nicolas-grekas]

BTW, PR welcome :)

[mynameisbogdan]

this is just a way to a 100% reproduction without waiting sessions to expire.

in my use case I'm migrating a legacy app to Symfony, exactly like Prestashop does it.

I already provided a /public/index.php necesary to replicate the issue. I think it's a good way to check for arrays anyway since SessionBagProxy::initialize accepts only type array.

BTW, PR welcome :)

Okay. 👍