keep previous cookies

we recently fixed that we lose previous cookies. but the fix was keeping
the messages in the session and only setting the cookie on the last
redirect, which means the messages are lost if the session is destroyed
(e.g. redirect to page outside firewall)

changed to merge the flash messages cookie from requests into the
flashes. and using array_merge_recursive to keep multiple messages with
the same key.

CHANGELOG.md

@@ -1,6 +1,17 @@
 Changelog
 =========
 
+2.9.2
+-----
+
+### Fixed
+
+* 2.9.1 fixed overwriting flash messages on multiple redirects, but introduced
+  a risk to lose flash messages when redirecting to a path that is outside the
+  firewall or destroys the session.
+  This version hopefully fixes both cases. Existing flash messages in a request
+  cookie are merged with new flash messages from the session.
+
 2.9.1
 -----
 

src/EventListener/FlashMessageListener.php

@@ -87,26 +87,28 @@ public function onKernelResponse(FlashMessageResponseEvent $event)
             return;
         }
 
-        $response = $event->getResponse();
-
-        // If the response is a redirect, we should wait until the final response
-        // is reached
-        if ($response->isRedirect()) {
-            return;
-        }
-
         $flashBag = $this->session->getFlashBag();
         $flashes = $flashBag->all();
 
         if (empty($flashes)) {
             return;
         }
 
+        $response = $event->getResponse();
+
         $cookies = $response->headers->getCookies(ResponseHeaderBag::COOKIES_ARRAY);
         $host = (null === $this->options['host']) ? '' : $this->options['host'];
         if (isset($cookies[$host][$this->options['path']][$this->options['name']])) {
             $rawCookie = $cookies[$host][$this->options['path']][$this->options['name']]->getValue();
-            $flashes = array_merge($flashes, json_decode($rawCookie));
+            $flashes = array_merge_recursive($flashes, json_decode($rawCookie, true));
+        }
+
+        // Preserve existing flash message cookie from previous redirect if there was one.
+        // This covers multiple redirects where each redirect adds flash messages.
+        $request = $event->getRequest();
+        if ($request->cookies->has($this->options['name'])) {
+            $rawCookie = $request->cookies->get($this->options['name']);
+            $flashes = array_merge_recursive($flashes, json_decode($rawCookie, true));
         }
 
         $cookie = new Cookie(

tests/Functional/EventListener/FlashMessageListenerTest.php

@@ -13,7 +13,6 @@
 
 use Mockery\Adapter\Phpunit\MockeryPHPUnitIntegration;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
-use Symfony\Component\HttpFoundation\Cookie;
 
 class FlashMessageListenerTest extends WebTestCase
 {
@@ -33,7 +32,6 @@ public function testFlashMessageCookieIsSet()
 
         $found = false;
         foreach ($cookies as $cookie) {
-            /** @var Cookie $cookie */
             if ('flash_cookie_name' !== $cookie->getName()) {
                 continue;
             }
@@ -45,9 +43,7 @@ public function testFlashMessageCookieIsSet()
             $found = true;
         }
 
-        if (!$found) {
-            $this->fail('Cookie flash_cookie_name not found in the cookie response header: '.implode(',', $cookies));
-        }
+        $this->assertTrue($found, 'Cookie "flash_cookie_name" not found in response cookies');
     }
 
     public function testFlashMessageCookieIsSetOnRedirect()
@@ -65,7 +61,6 @@ public function testFlashMessageCookieIsSetOnRedirect()
 
         $found = false;
         foreach ($cookies as $cookie) {
-            /** @var Cookie $cookie */
             if ('flash_cookie_name' !== $cookie->getName()) {
                 continue;
             }
@@ -77,8 +72,6 @@ public function testFlashMessageCookieIsSetOnRedirect()
             $found = true;
         }
 
-        if (!$found) {
-            $this->fail('Cookie flash_cookie_name not found in the cookie response header: '.implode(',', $cookies));
-        }
+        $this->assertTrue($found, 'Cookie "flash_cookie_name" not found in response cookies');
     }
 }