File upload starts session and causes invalid request token

[richardhj]

It looks like the file upload causes issues that are described in contao/contao#2820.

Steps to reproduce are:

• Open a form with FineUploader (cookies present in the browser are, among others, the csrf_https-contao_csrf_token, ISOTOPE_TEMP_CART, _ga*)
• Upload a file using FineUploader, the response starts the PHP session and sets a cookie
• The cookie PHPSESSID is now present in the browser
• The form cannot be submitted

[fritzmg]

Generally this can happen in Contao, if you are on a page with a form and any AJAX request will cause any subsequent request to require to have a CSRF token.

[richardhj]

So we need to start the session when the form is generated?

[fritzmg]

You mean the FineUploader widget should always start a session? That would certainly fix it. Not sure what the best or most "correct" solution is though. The AJAX request could also return a REQUEST_TOKEN so that the JavaScript can insert it into the form. However that sounds like something that Contao should provide a sort of API for in general 🤔

[richardhj]

As discussed, the missing session is the issue, so this is what I implemented in the project:

<?php

namespace App\EventListener;

use Contao\CoreBundle\ServiceAnnotation\Hook;
use Contao\Widget;
use Symfony\Component\HttpFoundation\Session\Session;

/**
 * @Hook("parseWidget")
 */
class ParseWidgetListener
{
    private $session;

    public function __construct(Session $session)
    {
        $this->session = $session;
    }

    public function __invoke(string $buffer, Widget $widget): string
    {
        if (!$this->session->isStarted()) {
            $this->session->set('foo', uniqid());
        }

        return $buffer;
    }
}