pimcore · lukmzig · Aug 21, 2025 · Aug 21, 2025 · Aug 22, 2025 · Aug 22, 2025
diff --git a/config/event_subscribers.yaml b/config/event_subscribers.yaml
@@ -13,6 +13,10 @@ services:
     tags: [ 'kernel.event_subscriber' ]
     arguments: ['%pimcore_studio_backend.url_prefix%']
 
+  Pimcore\Bundle\StudioBackendBundle\EventSubscriber\SessionCloseSubscriber:
+    tags: [ 'kernel.event_subscriber' ]
+    arguments: ['%pimcore_studio_backend.url_prefix%']
+
   Pimcore\Bundle\StudioBackendBundle\EventSubscriber\ApiExceptionSubscriber:
     tags: [ 'kernel.event_subscriber' ]
     arguments: ["%kernel.environment%", '%pimcore_studio_backend.url_prefix%']
diff --git a/src/EventSubscriber/SessionCloseSubscriber.php b/src/EventSubscriber/SessionCloseSubscriber.php
@@ -0,0 +1,70 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This source file is available under the terms of the
+ * Pimcore Open Core License (POCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (https://www.pimcore.com)
+ *  @license    Pimcore Open Core License (POCL)
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\EventSubscriber;
+
+use Pimcore\Bundle\StudioBackendBundle\Util\Trait\StudioBackendPathTrait;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+
+/**
+ * @internal
+ */
+final readonly class SessionCloseSubscriber implements EventSubscriberInterface
+{
+    use StudioBackendPathTrait;
+
+    public function __construct(
+        private string $urlPrefix
+    ) {
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            LoginSuccessEvent::class => 'onLoginSuccess',
+            KernelEvents::REQUEST => 'onKernelRequest',
+        ];
+    }
+
+    public function onLoginSuccess(LoginSuccessEvent $event): void
+    {
+        $request = $event->getRequest();
+        if (!$this->isStudioBackendPath($request->getPathInfo(), $this->urlPrefix)) {
+            return;
+        }
+
+        $this->closeSessionWrite($request->getSession());
+    }
+
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        $request = $event->getRequest();
+        if (!$event->isMainRequest() || !$this->isStudioBackendPath($request->getPathInfo(), $this->urlPrefix)) {
+            return;
+        }
+
+        $this->closeSessionWrite($request->getSession());
+    }
+
+    private function closeSessionWrite(SessionInterface $session): void
+    {
+        if ($session->isStarted()) {
+            $session->save();
+        }
+    }
+}
diff --git a/src/Security/Authenticator/AdminTokenAuthenticator.php b/src/Security/Authenticator/AdminTokenAuthenticator.php
@@ -90,10 +90,6 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
             );
         }
 
-        if (session_status() === PHP_SESSION_ACTIVE) {
-            session_write_close();
-        }
-
         return null;
     }
 

diff --git a/src/Security/Service/SecurityService.php b/src/Security/Service/SecurityService.php
@@ -109,9 +109,4 @@ public function getSpecialDataObjectPermissions(
             $permission
         );
     }
-
-    public function isSessionWritable(): bool
-    {
-        return session_status() === PHP_SESSION_ACTIVE;
-    }
 }
diff --git a/src/Security/Service/SecurityServiceInterface.php b/src/Security/Service/SecurityServiceInterface.php
@@ -56,6 +56,4 @@ public function getSpecialDataObjectPermissions(
         UserInterface $user,
         string $permission
     ): array;
-
-    public function isSessionWritable(): bool;
 }
diff --git a/src/Security/Voter/AuthorizationVoter.php b/src/Security/Voter/AuthorizationVoter.php
@@ -23,7 +23,7 @@
  */
 final class AuthorizationVoter extends Voter
 {
-    private const SUPPORTED_ATTRIBUTE = 'STUDIO_API';
+    private const string SUPPORTED_ATTRIBUTE = 'STUDIO_API';
 
     /**
      * {@inheritdoc}
@@ -38,10 +38,6 @@ protected function supports(string $attribute, mixed $subject): bool
      */
     protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
     {
-        if ($attribute !== self::SUPPORTED_ATTRIBUTE) {
-            return false;
-        }
-
-        return true;
+        return $attribute === self::SUPPORTED_ATTRIBUTE;
     }
 }
diff --git a/src/Security/Voter/UserPasswordVoter.php b/src/Security/Voter/UserPasswordVoter.php
@@ -51,12 +51,13 @@ protected function voteOnAttribute(string $attribute, mixed $subject, TokenInter
         $userId = $this->getUserIdFromRequest();
 
         $currentUser = $this->securityService->getCurrentUser();
+
         if ($userId === $currentUser->getId()) {
             // Allow user to update their own password
             return true;
         }
 
-        return $this->securityService->getCurrentUser()->isAllowed(UserPermissions::USER_MANAGEMENT->value);
+        return $currentUser->isAllowed(UserPermissions::USER_MANAGEMENT->value);
     }
 
     private function getUserIdFromRequest(): int
-Original file line number
+Diff line change
@@ Expand Up @@
                 );
             }
-            if (session_status() === PHP_SESSION_ACTIVE) {
-                session_write_close();
-            }
             return null;
         }
@@ Expand Down @@