[Hash] Improve user hash change detection during request by comparing it at the end

andrerom · andrerom · commit aa573d6891bd · 2020-06-19T09:40:45.000+02:00
diff --git a/src/EventListener/UserContextListener.php b/src/EventListener/UserContextListener.php
@@ -78,9 +78,9 @@ class UserContextListener implements EventSubscriberInterface
     private $hasSessionListener;
 
     /**
-     * @var string
+     * @var bool
      */
-    private $hash;
+    private $wasAnonymous;
 
     /**
      * Used to exclude anonymous requests (no authentication nor session) from user hash sanity check.
@@ -137,13 +137,13 @@ public function onKernelRequest(UserContextRequestEvent $event)
         }
 
         $request = $event->getRequest();
+
+        // Return early if request is not a hash lookup
         if (!$this->requestMatcher->matches($request)) {
-            if ($event->getRequest()->headers->has($this->options['user_hash_header'])
-                && !$this->isAnonymous($event->getRequest())
-            ) {
-                $this->hash = $this->hashGenerator->generateHash();
+            if ($request->headers->has($this->options['user_hash_header'])) {
+                // Keep track of if user is anonymous when we have user hash header in request
+                $this->wasAnonymous = $this->isAnonymous($request);
             }
-
             return;
         }
 
@@ -202,11 +202,17 @@ public function onKernelResponse(UserContextResponseEvent $event)
 
         $response = $event->getResponse();
         $request = $event->getRequest();
-
         $vary = $response->getVary();
 
         if ($request->headers->has($this->options['user_hash_header'])) {
-            if (null !== $this->hash && $this->hash !== $request->headers->get($this->options['user_hash_header'])) {
+            $requestHash = $request->headers->get($this->options['user_hash_header']);
+
+            // Generate hash to see if it might have changed during request if user was, or is "logged in" (session)
+            if (!$this->wasAnonymous || !$this->isAnonymous($request)) {
+                $hash = $this->hashGenerator->generateHash();
+            }
+
+            if (null !== $hash && $hash !== $requestHash) {
                 // hash has changed, session has most certainly changed, prevent setting incorrect cache
                 $response->setCache([
                     'max_age' => 0,
