fix: corrected Symfony session usage for flash bags

thorsten · thorsten · commit d72ec3fb48ba · 2026-01-05T23:01:14.000+01:00
diff --git a/phpmyfaq/src/Bootstrap.php b/phpmyfaq/src/Bootstrap.php
@@ -159,7 +159,7 @@
     throw new DatabaseConnectionException(
         message: 'Database connection failed: ' . $exception->getMessage(),
         code: 500,
-        previous: $exception
+        previous: $exception,
     );
 }
 
@@ -173,22 +173,16 @@
 // We always need a valid, secure session!
 //
 if (session_status() !== PHP_SESSION_ACTIVE) {
-    $sessionOptions = [
-        'use_only_cookies' => 1,
-        'use_trans_sid' => 0,
-        'cookie_samesite' => 'Strict',
-        'cookie_httponly' => true,
-        'cookie_secure' => $request->isSecure(),
-    ];
+    ini_set('session.use_only_cookies', '1');
+    ini_set('session.use_trans_sid', '0');
+    ini_set('session.cookie_samesite', 'Strict');
+    ini_set('session.cookie_httponly', '1');
+    ini_set('session.cookie_secure', '1');
 
     // Start the PHP session
     if (defined('PMF_SESSION_SAVE_PATH') && !empty(PMF_SESSION_SAVE_PATH)) {
-        $sessionOptions['save_path'] = PMF_SESSION_SAVE_PATH;
+        ini_set('session.save_path', PMF_SESSION_SAVE_PATH);
     }
-
-    session_start($sessionOptions);
-    $session = new Session(new PhpBridgeSessionStorage());
-    $session->start();
 }
 
 //
@@ -268,7 +262,7 @@
         // do not block bootstrap if a health check fails
     }
 
-    $client = (new SymfonyClientFactory())->create([
+    $client = new SymfonyClientFactory()->create([
         'base_uri' => $baseUri,
         'verify_peer' => false,
     ]);
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AuthenticationController.php b/phpmyfaq/src/phpMyFAQ/Controller/Frontend/AuthenticationController.php
@@ -21,8 +21,6 @@
 use phpMyFAQ\Filter;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
-use phpMyFAQ\User\CurrentUser;
-use phpMyFAQ\User\TwoFactor;
 use phpMyFAQ\User\UserAuthentication;
 use phpMyFAQ\User\UserException;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -103,7 +101,7 @@ public function forgotPassword(Request $request): Response
      * @throws \Exception
      */
     #[Route(path: '/logout', name: 'public.auth.logout')]
-    public function logout(Request $request): \Symfony\Component\HttpFoundation\RedirectResponse
+    public function logout(Request $request): RedirectResponse
     {
         $session = $this->container->get('session');
         $csrfToken = Filter::filterVar($request->query->get('csrf'), FILTER_SANITIZE_SPECIAL_CHARS);
@@ -112,11 +110,11 @@ public function logout(Request $request): \Symfony\Component\HttpFoundation\Redi
 
         if (!Token::getInstance($this->container->get('session'))->verifyToken('logout', $csrfToken)) {
             $session->getFlashBag()->add('error', 'CSRF Problem detected: ' . $csrfToken);
-            return $redirectResponse->send();
+            return $redirectResponse;
         }
 
         if (!$this->currentUser->isLoggedIn()) {
-            return $redirectResponse->send();
+            return $redirectResponse;
         }
 
         $this->currentUser->deleteFromSession(true);
@@ -128,7 +126,7 @@ public function logout(Request $request): \Symfony\Component\HttpFoundation\Redi
         $ssoLogout = $this->configuration->get('security.ssoLogoutRedirect');
         if ($this->configuration->get('security.ssoSupport') && (string) $ssoLogout !== '') {
             $redirectResponse->isRedirect($ssoLogout);
-            $redirectResponse->send();
+            return $redirectResponse;
         }
 
         // Microsoft Azure Logout
@@ -139,7 +137,7 @@ public function logout(Request $request): \Symfony\Component\HttpFoundation\Redi
             return new RedirectResponse($this->configuration->getDefaultUrl() . 'services/azure/logout.php');
         }
 
-        return $redirectResponse->send();
+        return $redirectResponse;
     }
 
     /**
@@ -148,7 +146,7 @@ public function logout(Request $request): \Symfony\Component\HttpFoundation\Redi
      * @throws \Exception
      */
     #[Route(path: '/authenticate', name: 'public.auth.authenticate', methods: ['POST'])]
-    public function authenticate(Request $request): \Symfony\Component\HttpFoundation\RedirectResponse
+    public function authenticate(Request $request): RedirectResponse
     {
         if ($this->currentUser->isLoggedIn()) {
             return new RedirectResponse(url: './');
@@ -183,8 +181,6 @@ public function authenticate(Request $request): \Symfony\Component\HttpFoundatio
                     return new RedirectResponse(url: './token?user-id=' . $this->currentUser->getUserId());
                 }
 
-                // Successful login without 2FA
-                $this->container->get('session')->getFlashBag()->add('success', Translation::get('ad_auth_sess'));
                 return new RedirectResponse('./');
             } catch (UserException $e) {
                 $this->configuration->getLogger()->error('Login-error: ' . $e->getMessage());
@@ -237,7 +233,7 @@ public function token(Request $request): Response
      * @throws \Exception
      */
     #[Route(path: '/check', name: 'public.twofactor.check', methods: ['POST'])]
-    public function check(Request $request): \Symfony\Component\HttpFoundation\RedirectResponse
+    public function check(Request $request): RedirectResponse
     {
         if ($this->currentUser->isLoggedIn()) {
             return new RedirectResponse(url: './');
diff --git a/phpmyfaq/src/phpMyFAQ/User/CurrentUser.php b/phpmyfaq/src/phpMyFAQ/User/CurrentUser.php
@@ -450,8 +450,8 @@ public function deleteFromSession(bool $deleteCookie = false): bool
             $this->userSession->setCookie(UserSession::COOKIE_NAME_REMEMBER_ME, '');
         }
 
-        session_destroy();
-        session_start();
+        // @todo Check if session_destroy() is really needed here
+        //session_destroy();
 
         return true;
     }
diff --git a/phpmyfaq/src/public-routes.php b/phpmyfaq/src/public-routes.php
@@ -19,17 +19,17 @@
 
 use phpMyFAQ\Controller\Frontend\Api\SetupController;
 use phpMyFAQ\Controller\Frontend\AttachmentController;
+use phpMyFAQ\Controller\Frontend\AuthenticationController;
 use phpMyFAQ\Controller\Frontend\CategoryController;
 use phpMyFAQ\Controller\Frontend\ContactController;
 use phpMyFAQ\Controller\Frontend\FaqController;
 use phpMyFAQ\Controller\Frontend\GlossaryController;
-use phpMyFAQ\Controller\Frontend\AuthenticationController;
 use phpMyFAQ\Controller\Frontend\NewsController;
-use phpMyFAQ\Controller\Frontend\QuestionsController;
 use phpMyFAQ\Controller\Frontend\OverviewController;
 use phpMyFAQ\Controller\Frontend\PageNotFoundController;
 use phpMyFAQ\Controller\Frontend\PdfController;
 use phpMyFAQ\Controller\Frontend\PrivacyController;
+use phpMyFAQ\Controller\Frontend\QuestionsController;
 use phpMyFAQ\Controller\Frontend\SearchController;
 use phpMyFAQ\Controller\Frontend\SitemapController as FrontendSitemapController;
 use phpMyFAQ\Controller\Frontend\StartpageController;

Original file line number	Diff line number	Diff line change
`@@ -450,8 +450,8 @@ public function deleteFromSession(bool $deleteCookie = false): bool`
`450`	`450`	`$this->userSession->setCookie(UserSession::COOKIE_NAME_REMEMBER_ME, '');`
`451`	`451`	`}`
`452`	`452`
`453`		`- session_destroy();`
`454`		`- session_start();`
	`453`	`+ // @todo Check if session_destroy() is really needed here`
	`454`	`+ //session_destroy();`
`455`	`455`
`456`	`456`	`return true;`
`457`	`457`	`}`