Lazy started sessions with session data are not saved with symfony/http-foundation 3.4.24

In discussing w/ Mike on Drupal Slack I was looking at Drupal's lazy handling of sessions.

    if ($this->isSessionObsolete()) {
      // There is no session data to store, destroy the session if it was
      // previously started.
      if ($this->getSaveHandler()->isActive()) {
        $this->destroy();
      }
    }
    else {
      // There is session data to store. Start the session if it is not already
      // started.
      if (!$this->getSaveHandler()->isActive()) {
        $this->startNow();
      }
      // Write the session data.
      parent::save();
    }

Mike assumes it's due to "isStarted" not being aware of our lazy handling.

Title suggestions:

* Lazy started sessions are not saved with symfony/http-foundation 3.4.24
* Session manager should report a session is started if lazy started

So I'm concerned about the consequences of changing the meaning of \Drupal\Core\Session\SessionManager::isStarted() to include lazy sessions. This will affect what happens on session regeneration if the session is only a lazy session and also what happens on \Drupal\Core\DrupalKernel::initializeContainer(). Obviously the session regeneration concern is a bigger one because this happens on every log in.

We need to investigate the ramifications of the proposed fixed. An alternative (and one I'm not sure is a good one) is we could subclass \Symfony\Component\HttpFoundation\Session\Session and use it in

  session:
    class: Symfony\Component\HttpFoundation\Session\Session
    arguments: ['@session_manager', '@session.attribute_bag', '@session.flash_bag']

and override the save method to not check if it is started.

Still thinking and testing things locally.

In order to make sure we don't unnecessarily save the session during a user log in we need to change \Drupal\Core\Session\SessionManager::regenerate() to check the parent's notion of isStarted() and not it's own new notion. I think we can ignore the DrupalKernel usage because although this might result in more calls to \Drupal\Core\Session\SessionManager::save() that will only create a session if it needs to and we might get more lazily started sessions but it shouldn't be a big issue.

Note if you want to see \Drupal\Core\Session\SessionManager::regenerate() do extra work because of #3 you can debug core/modules/user/tests/src/Functional/UserLoginHttpTest.php and set a breakpoint in the regenerate method.

#11 makes sense to ignore the lazy session for checking if a session has been started during generation. Is there an easy way to test this via kernel tests and a mocked session?

For those looking for the "quick fix" for the time being, mglaman and mikelutz have stated (on Slack) that adding the following conflict in your composer.json file should force a downgrade to v3.4.23. It works in my instance.

"conflict": {"symfony/http-foundation": "3.4.24"}

The quick fix in #16 worked for me.

This issue completely broke password resets on my site, so it seems like a pretty big deal if that's happening to everyone. (You'd end up with Access Denied when clicking the login link.)

+++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -340,4 +342,11 @@ protected function migrateStoredSession($old_session_id) {
+    return parent::isStarted() || $this->startedLazy;

This needs an inline comment as to why we're overriding the logic here.

Given this is a critical regression and we're time-constrained, if there's not an obvious route to testing this, we should consider committing this without test coverage and open up a follow-up for that (or if not commit the composer.json conflicts quick fix instead).

Hi I'm unable to install Drupal.
I'm using the composer project here:
https://github.com/drupal-composer/drupal-project/
running:
composer create-project drupal-composer/drupal-project:8.x-dev some-dir --no-interaction
which completes successfully.
Once I load the web page in browser and begin the installer steps, it works OK for a few steps: allows me to enter database details, choose the install type, but then I receive this error:
The website encountered an unexpected error. Please try again later.
Drupal\Core\Config\UnmetDependenciesException: Configuration objects provided by standard have unmet dependencies: block.block.bartik_account_menu (block), block.block.bartik_help (help, block), block.block.bartik_search (search, block), block_content.type.basic (block_content), comment.type.comment (comment), contact.form.feedback (contact), core.entity_form_display.block_content.basic.default (text), core.entity_form_display.node.article.default (image.style.thumbnail, comment, image, path, text), core.entity_form_display.node.page.default (path, text), core.entity_form_display.user.user.default (image.style.thumbnail, image), core.entity_view_display.node.article.default (image.style.large, comment, image, text), core.entity_view_display.node.article.rss (core.entity_view_mode.node.rss), core.entity_view_display.node.article.teaser (core.entity_view_mode.node.teaser, image.style.medium, image, text), core.entity_view_display.node.page.teaser (core.entity_view_mode.node.teaser, text), editor.editor.basic_html (ckeditor, editor), field.field.block_content.basic.body (field.storage.block_content.body, text, field), field.field.comment.comment.comment_body (field.storage.comment.comment_body, text, field), field.field.node.article.body (field.storage.node.body, text, field), field.field.node.article.comment (comment, field), field.field.node.article.field_image (image, field), field.field.node.article.field_tags (field), field.storage.node.comment (comment, node, field), field.storage.node.field_image (file, image, node, field), field.storage.node.field_tags (node, taxonomy, field), field.storage.user.user_picture (file, image, field), filter.format.basic_html (editor, filter), filter.format.restricted_html (filter), node.type.article (node), rdf.mapping.comment.comment (comment, rdf), rdf.mapping.node.article (node, rdf), rdf.mapping.taxonomy_term.tags (taxonomy, rdf), taxonomy.vocabulary.tags (taxonomy) in Drupal\Core\Config\UnmetDependenciesException::create() (line 98 of core/lib/Drupal/Core/Config/UnmetDependenciesException.php).
Drupal\Core\Config\UnmetDependenciesException::create('standard', Array) (Line: 485)
Drupal\Core\Config\ConfigInstaller->checkConfigurationToInstall('module', 'standard') (Line: 132)
Drupal\Core\ProxyClass\Config\ConfigInstaller->checkConfigurationToInstall('module', 'standard') (Line: 150)
Drupal\Core\Extension\ModuleInstaller->install(Array, ) (Line: 83)
Drupal\Core\ProxyClass\Extension\ModuleInstaller->install(Array, ) (Line: 1663)
install_install_profile(Array) (Line: 709)
install_run_task(Array, Array) (Line: 584)
install_run_tasks(Array, NULL) (Line: 125)
install_drupal(Object) (Line: 44)

Is that error related to this issue, and if so - is there any way for me to get around this to complete the install correctly?

Just FYI, the comment above is from #2594351: UnmetDependenciesException when installing Drupal 8. I’ve duplicated two issues onto it.

Given this is a critical regression and we're time-constrained, if there's not an obvious route to testing this, we should consider committing this without test coverage and open up a follow-up for that (or if not commit the composer.json conflicts quick fix instead).

I encountered this bug today, and spent my entire day bashing my head against the wall over it, after innocently trying to run an update path test (i.e., extends UpdatePathTestBase) which had previously worked. If my experience holds true for core, updating symonfy/http-foundation should cause every single update path test in core to fail. So we could post a fail patch that only updates the dependency, and rely on (for now) the existing implicit test coverage to get this committed.

OK https://www.drupal.org/project/drupal/issues/3044155 shows we have implicit test coverage for this, mostly in update path testing. Given that and the difficulty of testing this at a lower level, I think this is RTBC.

@mikelutz I'm not sure about #24. I think it is fine for the class to use the protected properties especially when doing

    if (($this->started || $this->startedLazy) && !$this->closed) {
       return $this->started;
     }

with the new formulation

    if ($this->isStarted() && !$this->closed) {
       return $this->started;
     }

There'll be someone in the future who comes along and changes it to

    if ($this->isStarted() && !$this->closed) {
       return $this->isStarted();
     }

And that would change the meaning of the return value. Not that I'm convinced that the current return value makes much sense when the session is only lazily started but so be it. At least the current code doesn't hide any of this complexity.

So on the logic of #26 let's be explicit about what we're doing and not call ::isStarted() internally at all. This makes it nice and explicit about how these two flags are used internally.

Keeping the excellent new docs from #23.

Note that the test-only patch in #27 is not a test-only patch in the traditional sense - it is a "pseudo max dependency testing" (as per @larowlan) and should pass. If we only did the drupalci.yml changes it would fail because of the error people are experiencing.

Committed 3d7ea45 and pushed to 8.8.x. Thanks!

c/p to 8.7.x as 752ad1a4de

8.6.x is also affected by this issue. Should we also commit this to 8.6.x?
I can confirm the patch works on 8.6.

I can also confirm it is also affected 8.6.x and the patch worked well.

RTBC for 8.6.x

With DrupalCon NA being next week, and 8.6.x being the active stable version... there's gonna be a lot of 'surprised' Drupal users when they go to set up their environment or demo something. I agree, this needs backport to 8.6.x, and ideally it would be good to get out a new 8.6.x release before DrupalCon. Otherwise I'm guessing we're going to see a lot more issues for this.

My automated installs of Drupal using Drush are also starting to fail now (only one so far, but there are a bunch on weekly cron so I know many of my projects are going to start going red soon) :( (e.g. https://travis-ci.org/geerlingguy/drupal-vm/jobs/515907080#L2647).

Discussed with other committers—@alexpott, @larowlan, @Gábor Hojtsy, @plach—and (despite being outside the bug fix window) we recommend putting out a "hotfix" release for this, especially given DrupalCon is next week. One good thing is that `git diff 8.6.13 8.6.x` is only the VERSION constant.

Tagging for release manager review.

Committed/pushed to 8.6.x, thanks!

Not sure if there's anything else we want to get into a hotfix to avoid doing a further bugfix release, but at least this one should be in it.

Pretty trivial but 8.6 patch added an extra newline breaking phpcs

Gah! Sorry about that.

Pushed a follow-up.

I'm not sure, but could this also be related to issues with reset links? All of our client websites seem to return "access denied" pages when users use the "Forgot password" functionality and click on the link from the mail. It seems that the URL returns a decent 302 redirect to the "/user/reset/{uid}" page but does not supply any session cookies, therefor the user is landing on that "/user/reset/{uid}" page and receives a access denied response.

@Ambidex yes that issue has been reported before, and is due to the Symfony update, so fixed by this issue.

Awesome. I can confirm patch from #36 fixes our following two issues:

1. "Access denied" when trying to reset password from link in e-mail.
2. Anonymous users were unable to flag content, no session was created.

Patch in #36 also fixes an issue where openid_connect uses sessions to validate the user with StateToken:confirm and a query token.

The release note on this should be expanded a bit more. It should explain to a site owner what the problem is, how it came about, and how the site is affected. See https://www.drupal.org/project/drupal/releases/8.6.12 for a similar example.

I've updated the release notes snippet. @xjm also pointed out we should find or open an upstream issue for this, given it caused a critical bug via a patch release of Symfony.

Quick Fix in #16 worked for me.
Thank you

My "composer update" command did not find the new Drupal core version. The "update" page in the Drupal admin backend displays it though. Any idea?

I am on newest stable composer version and the composer.json entry for Drupal core is

"drupal/core": "~8.0",

it doesn't show up on https://packagist.org/packages/drupal/core, which is based on https://github.com/drupal/core/releases, which is missing that tag. The commits seem to be there, however. Not sure who has access to that these days, might need to wait until the infrastructure team is up, also most people are in Seattle now..

@dtv_rb Suggest to create your own support issue, since it is unrelated.
Use "composer prohibits" to find out what stops you upgrading. Suspect webflo or symfony package to pin you to current installed.
Hope for you that you are not on drupal/drupal, which is not meant for updating drupal/core. In which case you need to migrate code base to proper distribution.

I found #54 after I reported the issue
#3046516: Drupal core 8.6.14 tag is not pushed to packagist.org

Hmm i created a little test

  /**
   * Page.
   */
  public function set() {
    /* @var $tempStoreFactory \Drupal\Core\TempStore\PrivateTempStoreFactory */
    $tempStoreFactory = Drupal::service('tempstore.private');
    $tempStoreFactory->get('test')->set('test', 'hello!');
    $response = new Response('hallo');
    $response->setCache(['max_age' => 0]);
    return $response;
  }

  /**
   * Page.
   */
  public function read() {
    /* @var $tempStoreFactory \Drupal\Core\TempStore\PrivateTempStoreFactory */
    $tempStoreFactory = Drupal::service('tempstore.private');
    $tempStore = $tempStoreFactory->get('test');
    $response = new Response($tempStore->get('test'));
    $response->setCache(['max_age' => 0]);
    return $response;
  }

and on the latest Drupal version i get on the read request not hello! back.. i see also that there is a pull request from alexpott https://github.com/symfony/symfony/pull/31215 that should fix this but now there is no private temp date saved for anonymous users which wil break sams logins etc. I think for the private stores etc the issue is not fixed yet? it is fixed to downgrading the "symfony/http-foundation": "3.4.23"

Just curious if this issue is all cleared up if I was to use the default process with the composer project:
https://github.com/drupal-composer/drupal-project

or do I need to still adjust settings to avoid the errors?

OK Alex Pott and Mike Lutz just informed me that Symfony has reverted this change upstream, making this unnecessary. It's also in a tagged release.

Discussed with xjm what to do since it's release window as we speak... we both think we should:

1. Revert this issue
2. Add an explicit conflict in composer.json
3. probably update to the latest Symfony patch release, although that carries a slight risk depending what the other commits are.

Not sure what to do about 8.6.x yet but that doesn't have to be today.

Here's a patch that does the revert and bumps the version. Didn't add the conflict because our version in composer.json was "symfony/http-foundation": "~3.4.26", so bumped that to "~3.4.27"

And here's a patch for 8.8.x.

Committed/pushed to 8.8.x and 8.7.x.

Moving as 'to be ported' to 8.6.x - we should just do the same probably.

Here's a patch for 8.6.x

I had to revert 2 commits because there was a coding standards followup.

Hello

patch #36 does not solve the problem for me

i attach my composer.json

{
"name": "drupal-composer/drupal-project",
"description": "Project template for Drupal 8 projects with composer",
"type": "project",
"license": "GPL-2.0-or-later",
"authors": [
{
"name": "",
"role": ""
}
],
"repositories": [
{
"type": "composer",
"url": "https://packages.drupal.org/8"
},
{
"type": "composer",
"url": "https://asset-packagist.org"
}
],
"require": {
"php": ">=5.6",
"composer/installers": "^1.2",
"cweagans/composer-patches": "^1.6.5",
"drupal-composer/drupal-scaffold": "^2.5",
"drupal/admin_toolbar": "^1.26",
"drupal/allowed_formats": "^1.1",
"drupal/auto_entitylabel": "^2.1@beta",
"drupal/better_exposed_filters": "3.x-dev",
"drupal/bootstrap_datetime_picker": "^1.2",
"drupal/components": "^1.0",
"drupal/console": "^1.0.2",
"drupal/contextual_range_filter": "1.x-dev",
"drupal/core": "^8.6.0",
"drupal/data_encryption": "^1.0@RC",
"drupal/dwr": "1.1",
"drupal/encrypt": "^3.0@RC",
"drupal/encrypt_seclib": "^1.0@alpha",
"drupal/field_encrypt": "^2.0@alpha",
"drupal/field_permissions": "^1.0@RC",
"drupal/mail_login": "^1.0",
"drupal/masquerade": "2.x-dev",
"drupal/menu_item_extras": "^2.4",
"drupal/page_message": "^1.0@beta",
"drupal/pubkey_encrypt": "^1.0@beta",
"drupal/real_aes": "^2.1",
"drupal/redirect_after_login": "^2.5",
"drupal/search_api": "^1.11",
"drupal/shield": "^1.2",
"drupal/timepicker-timepicker": "^1.0",
"drupal/views_autocomplete_filters": "^1.2",
"drupal/views_contextual_filters_or": "^1.1",
"drush/drush": "^9.0.0",
"oomphinc/composer-installers-extender": "^1.1",
"vlucas/phpdotenv": "^2.4",
"webflo/drupal-finder": "^1.0.0",
"webmozart/path-util": "^2.3",
"zaporylie/composer-drupal-optimizations": "^1.0"
},
"require-dev": {
"webflo/drupal-core-require-dev": "^8.6.0"
},
"conflict": {
"drupal/drupal": "*",
"symfony/http-foundation": "3.4.24"
},
"minimum-stability": "dev",
"prefer-stable": true,
"config": {
"sort-packages": true
},
"autoload": {
"classmap": [
"scripts/composer/ScriptHandler.php"
],
"files": ["load.environment.php"]
},
"scripts": {
"pre-install-cmd": [
"DrupalProject\\composer\\ScriptHandler::checkComposerVersion"
],
"pre-update-cmd": [
"DrupalProject\\composer\\ScriptHandler::checkComposerVersion"
],
"post-install-cmd": [
"DrupalProject\\composer\\ScriptHandler::createRequiredFiles"
],
"post-update-cmd": [
"DrupalProject\\composer\\ScriptHandler::createRequiredFiles"
]
},
"extra": {
"installer-types": [
"npm-asset",
"bower-asset"
],
"installer-paths": {
"web/libraries/{$name}": [
"type:drupal-library",
"type:npm-asset",
"type:bower-asset"
]
},
"composer-exit-on-patch-failure": true,
"patchLevel": {
"drupal/core": "-p2"
},
"installer-paths": {
"web/core": ["type:drupal-core"],
"web/libraries/{$name}": ["type:drupal-library"],
"web/modules/contrib/{$name}": ["type:drupal-module"],
"web/profiles/contrib/{$name}": ["type:drupal-profile"],
"web/themes/contrib/{$name}": ["type:drupal-theme"],
"drush/Commands/{$name}": ["type:drupal-drush"]
},
"drupal-scaffold": {
"initial": {
".editorconfig": "../.editorconfig",
".gitattributes": "../.gitattributes"
}
},
"patches": {
"drupal/core": {
"views OR bug": "https://www.drupal.org/files/issues/2018-08-02/manytoonehelper_ignores-2...",
"lazy loading issue": "https://www.drupal.org/files/issues/2019-04-04/3045349-35-86x.patch"
}
}
}
}

So, are we going to merge this into 8.6? Would be helpful on my project, for example.

The issue still exists on our installation (basically password reset isn't working like mentioned in #3045844).

We have updated drupal to 8.7.2 (which includes everything from here and http-foundation is on 3.4.28). Shouldn't it be working?

We're generating the one-time login link with `drush user:login`. The first time just after `drush cache:rebuild`, it works. And I think it works every 2nd `drush user:login` attempt.

Also we're receiving the message
"You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password."
on the access denied page.
-----

edit: ignore my comment. I figured out that my issue had something todo with something different from our custom modules.

Taking moshe's comment in #69 as an RTBC.

The patch #67 will not apply on 8.6.16 for me.

{
    "name": "drupal-composer/drupal-project",
    "description": "Project template for Drupal 8 projects with composer",
    "type": "project",
    "license": "GPL-2.0-or-later",
    "authors": [
        {
            "name": "",
            "role": ""
        }
    ],
    "repositories": [
        {
            "type": "git",
            "url": "git@gitlab.ueberbit.de:ueberbit-drupal/common-drush-commands.git"
        },
        {
            "type": "vcs",
            "url": "https://github.com/webflo/datetimepicker.git",
            "no-api": true
        },
        {
            "type": "vcs",
            "url": "git@gitlab.ueberbit.de:ueberbit-drupal/react-menu.git"
        },
        {
            "type": "composer",
            "url": "https://packages.drupal.org/8"
        }
    ],
    "require": {
        "ext-ldap": "*",
        "composer/installers": "^1.2",
        "cweagans/composer-patches": "^1.6",
        "drupal-composer/drupal-scaffold": "^2.2",
        "drupal/address": "^1.4",
        "drupal/admin_toolbar": "^1.25",
        "drupal/ajax_comments": "^1.0@beta",
        "drupal/allowed_formats": "^1.1",
        "drupal/auto_image_style": "^1.0@alpha",
        "drupal/autologout": "^1.0",
        "drupal/better_exposed_filters": "^3.0@alpha",
        "drupal/ckwordcount": "^1.0",
        "drupal/comment_delete": "^1.1",
        "drupal/components": "^1.0",
        "drupal/composer_deploy": "^1.2",
        "drupal/config_default_image": "^1.0",
        "drupal/config_filter": "^1.2",
        "drupal/config_pages": "^2.2",
        "drupal/config_split": "^1.3",
        "drupal/contribute": "^1.0",
        "drupal/core": "~8.6.16",
        "drupal/crop": "^1.5",
        "drupal/datetimepicker": "dev-8.x-1.x",
        "drupal/dropzonejs": "^2.0@alpha",
        "drupal/editor_advanced_link": "^1.4",
        "drupal/entity_browser": "^2.0",
        "drupal/entity_language_fallback": "^1.3",
        "drupal/entity_reference_revisions": "^1.6",
        "drupal/entity_usage": "2.x-dev",
        "drupal/externalauth": "^1.1",
        "drupal/facets": "^1.0@beta",
        "drupal/field_group": "^1.0",
        "drupal/field_tools": "^1.0@alpha",
        "drupal/file_entity": "^2.0@beta",
        "drupal/flag": "^4.0@alpha",
        "drupal/focal_point": "^1.0@beta",
        "drupal/geocoder": "^2.0@beta",
        "drupal/geolocation": "2.x-dev#9644f26b93241b050846021503f35787f1dbfe4f",
        "drupal/ics_field": "^1.0",
        "drupal/imagemagick": "^2.3",
        "drupal/inline_entity_form": "^1.0@beta",
        "drupal/languagefield": "^1.4",
        "drupal/ldap": "3.x-dev#07839a1835ee3fc1cd2b04a3726cb6ff4446a0f5",
        "drupal/ldap_sso": "1.x-dev#5a876218e24ec49f91829c34e50ef942ebc7b3b9",
        "drupal/link_to_entity": "1.x-dev",
        "drupal/linkit": "^5",
        "drupal/login_destination": "1.x-dev",
        "drupal/markup": "^1.0@beta",
        "drupal/masquerade": "^2.0@beta",
        "drupal/matomo": "^1.7",
        "drupal/media_entity_browser": "2.x-dev",
        "drupal/media_entity_download": "^2",
        "drupal/media_entity_slideshow": "^2",
        "drupal/media_expire": "^2.0@alpha",
        "drupal/menu_admin_per_menu": "^1.0",
        "drupal/menu_block": "^1.4",
        "drupal/menu_breadcrumb": "^1.7",
        "drupal/message": "^1.0@RC",
        "drupal/override_node_options": "^2.4",
        "drupal/paragraphs": "^1.5",
        "drupal/paragraphs_collection": "^1.0@alpha",
        "drupal/pathauto": "^1.3",
        "drupal/poll": "^1.1",
        "drupal/publication_date": "^2",
        "drupal/r4032login": "^1.1",
        "drupal/rabbit_hole": "^1.0@beta",
        "drupal/react_menu": "dev-8.x-1.x",
        "drupal/readonly_field_widget": "^1.2",
        "drupal/redirect": "^1.3",
        "drupal/replicate": "1.x-dev",
        "drupal/replicate_ui": "^1.0@alpha",
        "drupal/scheduler": "^1.0",
        "drupal/search_api": "^1.8",
        "drupal/search_api_attachments": "^1.0@beta",
        "drupal/search_api_autocomplete": "^1.0",
        "drupal/search_api_solr": "^2.0",
        "drupal/search_api_sorts": "^1.0@beta",
        "drupal/select2": "1.x-dev",
        "drupal/shs": "^1.0@alpha",
        "drupal/smart_trim": "^1.1",
        "drupal/stage_file_proxy": "^1.0@alpha",
        "drupal/svg_image_field": "^1.1",
        "drupal/swiftmailer": "^1.0@beta",
        "drupal/taxonomy_container": "^1.1",
        "drupal/token": "^1.5",
        "drupal/twig_field_value": "^1.1",
        "drupal/twig_xdebug": "^1.0",
        "drupal/video_embed_field": "^2.0",
        "drupal/view_unpublished": "^1.0@alpha",
        "drupal/views_data_export": "^1.0@alpha",
        "drupal/views_infinite_scroll": "^1.5",
        "drupal/webform": "^5.0@RC",
        "drush/drush": "^9.6.2",
        "emojione/emojione": "^2",
        "myclabs/php-enum": "^1.6",
        "ueberbit/common_drush_commands": "^2.0",
        "vlucas/phpdotenv": "^2.4",
        "webflo/drupal-finder": "^1.0.0",
        "webmozart/path-util": "^2.3"
    },
    "require-dev": {
        "drupal/drupal-extension": "~3.0",
        "integratedexperts/behat-screenshot": "^0.7.2",
        "webflo/drupal-core-require-dev": "~8.6.16",
        "weitzman/drupal-test-traits": "^1.0@beta"
    },
    "conflict": {
        "drupal/drupal": "*"
    },
    "minimum-stability": "dev",
    "prefer-stable": true,
    "config": {
        "platform": {
            "php": "7.2"
        },
        "sort-packages": true
    },
    "autoload": {
        "classmap": [
            "scripts/composer/ScriptHandler.php"
        ],
        "files": ["load.environment.php"]
    },
    "scripts": {
        "drupal-scaffold": "DrupalComposer\\DrupalScaffold\\Plugin::scaffold",
        "pre-install-cmd": [
            "DrupalProject\\composer\\ScriptHandler::checkComposerVersion"
        ],
        "pre-update-cmd": [
            "DrupalProject\\composer\\ScriptHandler::checkComposerVersion"
        ],
        "post-install-cmd": [
            "DrupalProject\\composer\\ScriptHandler::createRequiredFiles"
        ],
        "post-update-cmd": [
            "DrupalProject\\composer\\ScriptHandler::createRequiredFiles"
        ]
    },
    "extra": {
        "installer-paths": {
            "web/core": ["type:drupal-core"],
            "web/libraries/{$name}": ["type:drupal-library"],
            "web/modules/contrib/{$name}": ["type:drupal-module"],
            "web/profiles/contrib/{$name}": ["type:drupal-profile"],
            "web/themes/contrib/{$name}": ["type:drupal-theme"],
            "drush/Commands/{$name}": ["type:drupal-drush"]
        },
        "patches": {
            "drupal/entity_browser": {
                "Provide inline entity form FieldWidgetDisplay #2858438: Provide inline entity form FieldWidgetDisplay": "https://www.drupal.org/files/issues/2018-04-04/2858438_10.patch"
            },
            "drupal/geolocation": {
                "Unable to save leaflet formatter settings #2977717: Unable to save leaflet formatter settings": "https://www.drupal.org/files/issues/2018-06-06/2977717-1.patch",
                "Zoom level for Geolocation leaflet ignored. The map always zoom in on the marker #2971804: Zoom level for Geolocation leaflet ignored. The map always zoom in on the marker": "https://www.drupal.org/files/issues/2018-05-09/2971804-2.patch"
            },
            "drupal/core": {
                "Non interactive install not in English with configuration overrides is broken": "https://www.drupal.org/files/issues/2018-09-16/2999061-10.patch",
                "Add options to filter.module #3011440: Filter URL to links with options to convert URL or email.": "https://www.drupal.org/files/issues/2018-11-05/3011440_add_options_2.patch",
                "Prevent the use of placeholders that cannot be converted #2481349: Prevent the use of placeholders that cannot be converted into strings when creating logs": "https://www.drupal.org/files/issues/2018-07-16/2481349-64.patch",
                "Lazy started sessions with session data are not saved with symfony/http-foundation 3.4.24": "https://www.drupal.org/files/issues/2019-05-01/3045349-revert-8.6.x-67.patch"
            },
            "drupal/ldap": {
                "Support provision from multiple LDAP Servers": "patches/ldap/provision-from-multiple-server.patch",
                "Add LDAP Server context": "patches/ldap/add-sever-context.patch",
                "Fix OrphanProcessor::checkOrphans": "patches/ldap/fix-OrphanProcessor.patch"
            },
            "drupal/svg_image_field": {
                "Allow image/svg mime-type #2991650: Allow image/svg mime-type": "https://www.drupal.org/files/issues/2018-08-09/2991650-2.patch"
            },
            "drupal/link_to_entity": {
                "Token integration": "patches/drupal-link_to_entity/token-integration.patch"
            },
            "drupal/select2": {
                "Fix focus lost ie 11": "patches/select2/ie11.patch"
            },
            "drupal/media_entity_slideshow": {
                "Allow field to be empty[3015310]": "https://www.drupal.org/files/issues/2018-11-21/3015310_allow_field_to_be_empty_2.patch"
            },
            "drupal/drupal-extension": {
                "Implement configurable login path, https://github.com/jhedstrom/drupalextension/pull/380": "https://patch-diff.githubusercontent.com/raw/jhedstrom/drupalextension/pull/380.patch"
            },
            "drupal/markup": {
                "Allow translation of markup content #2711427: Missing schema for configuration": "https://www.drupal.org/files/issues/allow_translation_of-2711427-4.patch"
            },
            "drupal/ldap_sso": {
                "Fix destination parameter handling:": "patches/ldap_sso/fix-destination-parameter-handling.v2.patch"
            },
            "drupal/autologout": {
                "Fix time is null": "patches/autologout/fix_time_is_null_for.patch"
            },
            "drush/drush": {
                "Fix TTY detection for runserver command": "https://github.com/drush-ops/drush/commit/dda3993778f6d81e339d1ae7f0b1c8e18cc9b573.patch"
            }
        },
        "patchLevel": {
            "drupal/core": "-p2"
        }
    }
}

Yep, needs a re-roll.

Re-rolling

Committed c811241 and pushed to 8.6.x. Thanks!

I have update drupal 8.7.10 which having, Symfony http-foundation has been updated to version 3.4.35 in this release. once I'm getting the reset password link I'm getting forbidden (403) error.

Same here as for /u/Abhinaw.
Updated core to 8.6.18 and have "http-foundation" of version 3.4.35.
Still gaining "You are not authorized to access this page." when trying to use one-time-login-link.
And session cookie is created.

Important moments:
- While I'm using one-time-login-link I'm being logged in and not redirected anywhere, just beholding "You are not authorized to access this page." (while already being logged in);
- I see same "You are not authorized to access this page." when I'm just trying to visit "/user/reset/{uid}" while being logged in ({uid} is just my current uid);

UPD: found custom hook_user_login with redirect response, so this comment is not relevant, sorry for panic :)

Maybe @Abhinaw also have custom redirects that executes on user login;

Seeing this on an intermittent basis in Drupal 8.8.8 .. refreshing the page the one time login page works.

Release note is already present.