Cookies get lost during RedirectResponse replacement [#2582309]

Problem/Motivation

So everything starts here where we clone a redirect response and replace the old response.

          $safe_response = LocalRedirectResponse::createFromRedirectResponse($response);
        $event->setResponse($safe_response);

::createFromRedirectResponse takes care to copy everything, including exporting headers and sending them over, sending the path, etc. Unfortunately, cookies are not included in the constructor and despite living in the header bag, don't get exported or imported in the copy process. This means a listener that runs earlier and sets a cookie has that cookie thrown away leading to table flipping and hair pulling.

Proposed resolution

Iterate over cookies and set them on the cloned response.

Remaining tasks

Agree and commit

User interface changes

N/A

API changes

N/A

Data model changes

N/A

RC phase evaluation

Reference: https://www.drupal.org/core/d8-allowed-changes
No BC break, feature, etc. Just a bug.
Issue category	Bug code doesn't not behave correctly.
Issue priority	Normal bug. Doesn't affect core behaviors but disruptions normal assumptions about code behavior. Cookies set on a response should always be sent.
Allowed in RC	Contrib blocked. Bakery commonly sets its cookies why redirecting.
Needed in RC	Blocking contrib migration and site builder
Disruption: Fixes a bug, blocks a contributed project	No disruption, just restores expected behavior.

https://www.drupal.org/node/2592479

Comment	File	Size	Author
#32	2582309-32.interdiff.txt	889 bytes	neclimdul
#32	cookies_get_lost_during-2582309-32.patch	3.28 KB	neclimdul
#32	8.0.x: PHP 5.5 & MySQL 5.5 14,238 pass
#32	cookies_get_lost_during-2582309-32-FAILURE.patch	2.47 KB	neclimdul
#32	8.0.x: PHP 5.5 & MySQL 5.5 14,237 pass, 1 fail
#28	interdiff.2582309-28.txt	2.4 KB	neclimdul
#28	cookies_get_lost_during-2582309-28.patch	3.29 KB	neclimdul
#28	8.0.x: PHP 5.5 & MySQL 5.5 14,245 pass
#21	2582309-21.interdiff.txt	1.75 KB	neclimdul
#21	cookies_get_lost_during-2582309-21.patch	3.56 KB	neclimdul
#21	8.0.x: PHP 5.5 & MySQL 5.5 14,219 pass
#14	cookies_get_lost_during-2582309-14.patch	3.27 KB	neclimdul
#14	8.0.x: PHP 5.5 & MySQL 5.5 14,215 pass
#11	cookies_get_lost_during-2582309-10.patch	3.25 KB	neclimdul
#11	8.0.x: PHP 5.5 & MySQL 5.5 CI error
#11	2582309-10.interdiff.txt	704 bytes	neclimdul
#8	cookies_get_lost_during-2582309-8.patch	3.25 KB	neclimdul
#8	8.0.x: PHP 5.5 & MySQL 5.5 CI error
#3	cookies_get_lost_during-2582309-2.patch	846 bytes	neclimdul
#3	8.0.x: PHP 5.5 & MySQL 5.5 14,214 pass
#2	cookies_get_lost_during-2582309-2.patch	0 bytes	neclimdul
#2	8.0.x: PHP 5.5 & MySQL 5.5 1 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

7 October 2015 at 18:05

neclimdul created an issue. See original summary.

Comment #2

neclimdul

He/Him

CreditAttribution: neclimdul commented 7 October 2015 at 18:08

Status:

Active

» Needs review

File	Size
cookies_get_lost_during-2582309-2.patch	0 bytes
8.0.x: PHP 5.5 & MySQL 5.5 1 fail

Did my best in the summary but hopefully this makes it a little more clear.

Comment #3

neclimdul

He/Him

CreditAttribution: neclimdul commented 7 October 2015 at 18:09

File	Size
cookies_get_lost_during-2582309-2.patch	846 bytes
8.0.x: PHP 5.5 & MySQL 5.5 14,214 pass

1 file was hidden/shown/deleted

File	Size
cookies_get_lost_during-2582309-2.patch	0 bytes
8.0.x: PHP 5.5 & MySQL 5.5 1 fail

where'd the patch go d.o?

Comment #4

joelpittet

English

Vancouver

CreditAttribution: joelpittet commented 7 October 2015 at 18:12

Status:	Needs review	» Needs work
Issue tags:		+Needs tests

Could use an automated test to ensure we don't run into this bug in the future.

Comment #5

7 October 2015 at 18:18

The last submitted patch, 2: cookies_get_lost_during-2582309-2.patch, failed testing.

Comment #6

dawehner

German

CreditAttribution: dawehner as a volunteer commented 7 October 2015 at 22:54

Wow, is that something we could fix upstream?

Comment #7

neclimdul

He/Him

CreditAttribution: neclimdul commented 7 October 2015 at 23:36

Status:	Needs work	» Needs review
Issue tags:	-Needs tests

Fair enough. There where some tests for methods using this base class but not the method itself so new unit test.

Exposed a bonus SymfonyWTF: https://github.com/symfony/symfony/issues/16171

Comment #8

neclimdul

He/Him

CreditAttribution: neclimdul commented 7 October 2015 at 23:37

File	Size
cookies_get_lost_during-2582309-8.patch	3.25 KB
8.0.x: PHP 5.5 & MySQL 5.5 CI error

this one was my fault...

Comment #9

7 October 2015 at 23:38

Status:

Needs review

» Needs work

The last submitted patch, 8: cookies_get_lost_during-2582309-8.patch, failed testing.

Comment #10

7 October 2015 at 23:43

The last submitted patch, 8: cookies_get_lost_during-2582309-8.patch, failed testing.

Comment #11

neclimdul

He/Him

CreditAttribution: neclimdul commented 7 October 2015 at 23:43

Status:

Needs work

» Needs review

File	Size
2582309-10.interdiff.txt	704 bytes
cookies_get_lost_during-2582309-10.patch	3.25 KB
8.0.x: PHP 5.5 & MySQL 5.5 CI error

re #6, I don't think there is a need to fix it upstream. We have this method becase we are already copying other values in this way and its an architectural issue not a bug. Possibly an architecture we could look at improving in a future release of Symfony though.

Grumble grumble groups...

Comment #12

7 October 2015 at 23:44

Status:

Needs review

» Needs work

The last submitted patch, 11: cookies_get_lost_during-2582309-10.patch, failed testing.

Comment #13

7 October 2015 at 23:52

The last submitted patch, 11: cookies_get_lost_during-2582309-10.patch, failed testing.

Comment #14

neclimdul

He/Him

CreditAttribution: neclimdul commented 8 October 2015 at 14:34

File	Size
cookies_get_lost_during-2582309-14.patch	3.27 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,215 pass

The patch that has the previous interdiff. I don't know what my problem is...

Comment #15

neclimdul

He/Him

CreditAttribution: neclimdul commented 8 October 2015 at 14:37

Status:	Needs work	» Needs review
Issue tags:		+Contributed project blocker

Seriously? Since this was blocking my work on migrating Bakery, tagging as well.

Comment #16

8 October 2015 at 15:08

Status:

Needs review

» Needs work

The last submitted patch, 14: cookies_get_lost_during-2582309-14.patch, failed testing.

Comment #17

neclimdul

He/Him

CreditAttribution: neclimdul commented 8 October 2015 at 15:20

Status:

Needs work

» Needs review

yeah, sorry pifr. you don't get to rule my issues anymore.

Comment #18

joelpittet

English

Vancouver

CreditAttribution: joelpittet commented 8 October 2015 at 18:19

Status:

Needs review

» Reviewed & tested by the community

Thank you for adding tests! I agree, PIFR your reign is over.

Comment #19

tim.plunkett

he/him

English

Philadelphia

CreditAttribution: tim.plunkett at Acquia commented 8 October 2015 at 18:27

Fixable on commit:

+++ b/core/tests/Drupal/Tests/Component/HttpFoundation/SecuredRedirectResponseTest.php
@@ -0,0 +1,62 @@
+   *  {@inheritdoc}

Extra space between * and {

+++ b/core/tests/Drupal/Tests/Component/HttpFoundation/SecuredRedirectResponseTest.php
@@ -0,0 +1,62 @@
+    return true;

return TRUE;

Comment #20

dawehner

German

CreditAttribution: dawehner as a volunteer commented 8 October 2015 at 23:02

+++ b/core/lib/Drupal/Component/HttpFoundation/SecuredRedirectResponse.php
@@ -35,6 +35,9 @@ public static function createFromRedirectResponse(RedirectResponse $response) {
     $safe_response->setProtocolVersion($response->getProtocolVersion());
     $safe_response->setCharset($response->getCharset());
+    foreach ($response->headers->getCookies() as $cookie) {
+      $safe_response->headers->setCookie($cookie);
+    }
     return $safe_response;

Can we have a comment why we are doing this here?

Comment #21

neclimdul

He/Him

CreditAttribution: neclimdul commented 13 October 2015 at 22:56

Status:

Reviewed & tested by the community

» Needs review

File	Size
cookies_get_lost_during-2582309-21.patch	3.56 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,219 pass
2582309-21.interdiff.txt	1.75 KB

5 files were hidden/shown/deleted

File	Size
cookies_get_lost_during-2582309-2.patch	846 bytes
8.0.x: PHP 5.5 & MySQL 5.5 14,214 pass
cookies_get_lost_during-2582309-8.patch	3.25 KB
8.0.x: PHP 5.5 & MySQL 5.5 CI error
2582309-10.interdiff.txt	704 bytes
cookies_get_lost_during-2582309-10.patch	3.25 KB
8.0.x: PHP 5.5 & MySQL 5.5 CI error
cookies_get_lost_during-2582309-14.patch	3.27 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,215 pass

Why not.

Comment #22

joelpittet

English

Vancouver

CreditAttribution: joelpittet commented 13 October 2015 at 23:27

Status:	Needs review	» Reviewed & tested by the community
Issue tags:		+rc target triage

Thank you re-RTBC. Comments and docs addressed.

Comment #23

YesCT CreditAttribution: YesCT commented 14 October 2015 at 14:20

Issue tags:

+Needs issue summary update

@joelpittet
https://www.drupal.org/core/d8-allowed-changes
says

Non-criticals under consideration have the rc target triage tag. Issues tagged with rc target triage should have an issue summary that explains why it is important for the issue to land during RC and why it can not wait until later.

I think we need a "beta evaluation" like thing in the issue summary which goes through the criteria in https://www.drupal.org/core/d8-allowed-changes

Comment #24

neclimdul

He/Him

CreditAttribution: neclimdul commented 14 October 2015 at 15:01

Issue summary:

View changes

Its my understanding the "Contributed project blocker" tag should have covered this. I'm very confused about what commiters what to see on issues right now.

Comment #25

neclimdul

He/Him

CreditAttribution: neclimdul commented 14 October 2015 at 15:40

Issue summary:

View changes

Not linked from the RC evaluation but googling I found the template. Hopefully this clarifies.

Comment #26

YesCT CreditAttribution: YesCT commented 14 October 2015 at 23:20

Issue summary:

View changes

Comment #27

YesCT CreditAttribution: YesCT commented 14 October 2015 at 23:21

Issue tags:

-Needs issue summary update

Comment #28

neclimdul

He/Him

CreditAttribution: neclimdul commented 16 October 2015 at 18:39

File	Size
cookies_get_lost_during-2582309-28.patch	3.29 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,245 pass
interdiff.2582309-28.txt	2.4 KB

2 files were hidden/shown/deleted

File	Size
cookies_get_lost_during-2582309-21.patch	3.56 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,219 pass
2582309-21.interdiff.txt	1.75 KB

re-roll around #2573923: Introduce a CacheableRedirectResponse and use it where appropriate

Comment #29

neclimdul

He/Him

CreditAttribution: neclimdul commented 16 October 2015 at 18:40

Status:

Reviewed & tested by the community

» Needs review

Could use a look to make sure it looks right actually. Didn't mean to leave it RTBC.

Comment #30

joelpittet

English

Vancouver

CreditAttribution: joelpittet commented 20 October 2015 at 15:57

Not sure how this will play out, I'm sure if it doesn't get in for RC it can likely go into 8.0.1 or something, but there is a fancy RC evaluation in the IS now.

+++ b/core/lib/Drupal/Component/HttpFoundation/SecuredRedirectResponse.php
@@ -46,6 +46,11 @@ public static function createFromRedirectResponse(RedirectResponse $response) {
+    // Cookies aren't are separate from other headers and have to be copied over
+    // directly.

nit: remove the word 'arn't'

Comment #31

joelpittet

English

Vancouver

CreditAttribution: joelpittet commented 20 October 2015 at 15:58

Status:

Needs review

» Needs work

Would you mind posting a tests only patch with the next patch?

Comment #32

neclimdul

He/Him

CreditAttribution: neclimdul commented 20 October 2015 at 16:49

Status:

Needs work

» Needs review

File	Size
cookies_get_lost_during-2582309-32-FAILURE.patch	2.47 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,237 pass, 1 fail
cookies_get_lost_during-2582309-32.patch	3.28 KB
8.0.x: PHP 5.5 & MySQL 5.5 14,238 pass
2582309-32.interdiff.txt	889 bytes

Sure thing. Hopefully I got the upload order correct...

Comment #33

20 October 2015 at 17:20

The last submitted patch, 32: cookies_get_lost_during-2582309-32-FAILURE.patch, failed testing.

Comment #34

joelpittet

English

Vancouver

CreditAttribution: joelpittet commented 20 October 2015 at 17:37

Status:

Needs review

» Reviewed & tested by the community

Thank you @neclimdul. I think this has all the right stuff now.

Comment #35

20 October 2015 at 18:08

The last submitted patch, 32: cookies_get_lost_during-2582309-32-FAILURE.patch, failed testing.

Comment #36

xjm

she/her

English

CreditAttribution: xjm at Acquia commented 22 October 2015 at 19:09

Issue tags:

-rc target triage

+rc target

Discussed with the D8 committers and we agreed with making this an rc target.

Comment #37

webchick

she/they

English

Vancouver 🇨🇦

CreditAttribution: webchick at Acquia commented 23 October 2015 at 00:02

Status:

Reviewed & tested by the community

» Fixed

Committed and pushed to 8.0.x. Thanks!

Comment #38

23 October 2015 at 00:02

webchick committed 169bd2a on 8.0.x

Issue #2582309 by neclimdul, joelpittet, YesCT, dawehner, tim.plunkett:...

Comment #39

neclimdul

He/Him

CreditAttribution: neclimdul at APQC commented 23 October 2015 at 16:04

Many thanks!

Comment #40

6 November 2015 at 16:04

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.