fix(http): Adjust session handling in StatelessApplication to set session ID from cookies and ensure clean state management.

[terabytesoftw]

Q	A
Is bugfix?	✔️
New feature?	❌
Breaks BC?	❌

Summary by CodeRabbit

• Bug Fixes
  • Ensures your existing session is reliably recognized from browser cookies during app initialization and resets.
  • Reduces unexpected sign-outs and prevents loss of in-progress actions by maintaining session continuity across requests.
  • Provides a more stable startup experience with fewer hiccups related to session lifecycle handling.
  • No changes to user permissions or settings; this update strictly improves session reliability.

[coderabbitai]

Walkthrough

Updated StatelessApplication::reset to derive the session ID from the request cookie (by session name), set it on the session, run bootstrap, and finally close the session. Removed the earlier explicit session close/open cycle before bootstrap. No public API signatures changed.

Changes

Cohort / File(s)	Summary
Stateless session reset logic src/http/StatelessApplication.php	Modify reset: remove pre-bootstrap session close/open; read session ID from request cookie, call session->setId(...), run bootstrap, then session->close(). No exported signatures changed.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant R as Request
  participant A as StatelessApplication.reset()
  participant S as Session
  participant B as Bootstrap

  R->>A: Invoke reset()
  A->>R: Read cookie by session name
  A->>S: setId(sessionId)
  A->>B: bootstrap()
  A->>S: close()
  note right of A: Pre-bootstrap close/open removed

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• refactor(application): Improve response handling and reset request state in StatelessApplication. #89: Also modifies StatelessApplication::reset focusing on request reset behavior, intersecting with this session handling change.
• test(http): Extract cookie tests from ApplicationTest to ApplicationCookieTest class. #121: Moves/adds cookie-centric tests for stateless handling in the same class, aligning with session ID extraction from cookies.
• test(http): Extract session tests from ApplicationTest to ApplicationSessionTest class. #118: Adjusts tests for per-session (cookie-based) behavior related to session management in reset.

Suggested labels

bug

Poem

A cookie crumb, a session key,
I twitch my nose—ID for me! 🍪🐇
No open-close before the run,
We set, we boot, and then we’re done.
Hop, hop—stateless, swift, and neat,
Another tidy burrow complete.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-mini-139

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (c868118) to head (40ffd68).

Additional details and impacted files

@@             Coverage Diff             @@
##                main      #158   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity       317       317           
===========================================
  Files             12        12           
  Lines            803       801    -2     
===========================================
- Hits             803       801    -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c868118 and 40ffd68.

📒 Files selected for processing (1)

• src/http/StatelessApplication.php (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-03T16:24:09.241Z

Learnt from: terabytesoftw
PR: yii2-extensions/psr-bridge#53
File: src/http/ErrorHandler.php:258-272
Timestamp: 2025-08-03T16:24:09.241Z
Learning: In yii2-extensions/psr-bridge, the StatelessApplication creates a new Response instance for each request in the reset() method, then passes it to ErrorHandler::setResponse(). This means the template response is not shared across requests, so calling clear() on it in createErrorResponse() is safe and doesn't cause side effects.

Applied to files:

• src/http/StatelessApplication.php

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: phpunit / PHP 8.1-ubuntu-latest
• GitHub Check: phpunit / PHP 8.4-windows-latest
• GitHub Check: composer-require-checker / PHP 8.4-ubuntu-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest
• GitHub Check: mutation / PHP 8.3-ubuntu-latest

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Fix null dereference and avoid Yii cookie-validation mismatch when reading session ID

• ->get(...)->value ?? '' will fatal when the cookie is absent because ->value is accessed on null.
• Reading from $this->request->getCookies() depends on Yii cookie validation; the PHP session cookie (e.g., PHPSESSID) is typically not signed and may be filtered out when validation is enabled. Use PSR-7 $request->getCookieParams() instead and only set the ID when present and non-empty.

Apply this diff:

-        // if a session cookie is present, set the session ID accordingly
-        $sessionId = $this->request->getCookies()->get($this->session->getName())->value ?? '';
-        $this->session->setId($sessionId);
+        // if a session cookie is present, set the session ID accordingly
+        $sessionName = $this->session->getName();
+        $sessionId = $request->getCookieParams()[$sessionName] ?? null;
+        if (is_string($sessionId) && $sessionId !== '') {
+            $this->session->setId($sessionId);
+        }

Optionally, add a lightweight unit test to cover:

• no session cookie present → setId() is not called
• valid session cookie present → setId() receives that value
• empty session cookie value → setId() is not called

I can draft the tests if helpful.

---

🏁 Script executed:

#!/bin/bash
# Locate the StatelessApplication.php file
file=$(rg -l "class StatelessApplication" --glob "*.php")
echo "StatelessApplication file: $file"

# Show lines around the snippet (lines ~423)
sed -n '400,460p' "$file"

# Show occurrences of getCookies in the file
rg -n "getCookies" -C2 "$file"

# Search for any use of getCookieParams in the repo
rg -n "getCookieParams" -C3 --glob "*.php"

Length of output: 3942

---

🏁 Script executed:

#!/bin/bash
# Display the session‐cookie logic in StatelessApplication
sed -n '400,460p' src/http/StatelessApplication.php

# Check if getCookieParams is already used in this file
rg -n 'getCookieParams' -C3 src/http/StatelessApplication.php

Length of output: 2383

---

Prevent null dereference and bypass Yii cookie validation for session ID

In src/http/StatelessApplication.php inside the reset() method (around line 423), the current code…

// if a session cookie is present, set the session ID accordingly
$sessionId = $this->request->getCookies()->get($this->session->getName())->value ?? '';
$this->session->setId($sessionId);

…can

• fatally dereference ->value when the named cookie is missing (it returns null),
• and silently overwrite the session ID with an empty string even if no cookie was provided,
• while also relying on Yii’s cookie-validation (which drops unsigned PHPSESSID cookies).

Replace with PSR-7’s raw cookie params and guard both null and empty values:

-        // if a session cookie is present, set the session ID accordingly
-        $sessionId = $this->request->getCookies()->get($this->session->getName())->value ?? '';
-        $this->session->setId($sessionId);
+        // if a session cookie is present, set the session ID accordingly
+        $sessionName = $this->session->getName();
+        $sessionId   = $request->getCookieParams()[$sessionName] ?? null;
+        if (is_string($sessionId) && $sessionId !== '') {
+            $this->session->setId($sessionId);
+        }

To fully cover this behavior, add a small unit test for reset():

• no session cookie → session->setId() is never invoked
• valid non-empty cookie → session->setId() is called with that value
• cookie present but empty → session->setId() is not invoked

🤖 Prompt for AI Agents

In src/http/StatelessApplication.php around lines 423-426, the code currently
dereferences ->value on a potentially null cookie and unconditionally calls
$this->session->setId('') when no cookie exists; change it to read the raw PSR-7
cookie params (e.g. $this->request->getCookieParams()), check for the cookie
name existence and that its value is non-null and non-empty before calling
$this->session->setId($value) so you never dereference null or overwrite the
session with an empty string; additionally add unit tests for reset(): (1) no
session cookie => assert setId() is never called, (2) valid non-empty cookie =>
assert setId() called with that value, (3) cookie present but empty => assert
setId() is not called.