Symfony 5.4 - Why do I still get `PHPSESSID` cookie for `/probe` paths despite setting firewall `security` to `false` and `stateless` to `true`? #61019

renepupil · 2025-07-02T07:47:18Z

renepupil
Jul 2, 2025

We use redis as native session storage in php.ini template:

session.save_handler = redis
session.save_path = "${REDIS_PATH}"
session.cookie_httponly = 1
session.use_strict_mode = 1
session.cookie_secure = 1
session.use_trans_sid = 0

Session framework.yaml settings:

framework:
    session:
        handler_id: ~
        cookie_secure: true
        cookie_httponly: true
        storage_factory_id: session.storage.factory.php_bridge

We added some /probe routes for kubernetes probes:

#[Route('/probe', name: 'app_frontend_probe_')]
class ProbeController extends AbstractController
{
    #[Route('/liveness', name: 'liveness')]
    public function getLiveness(Request $request): JsonResponse

For these we don't security and sessions, hence I disabled security for /probe routes in security.yaml:

security:
  firewalls:
    probe:
      pattern: ^/probe/
      security: false
      stateless: true

Why do I still get PHPSESSID when calling /probe/ endpoints with these settings in browser?

MatTheCat · 2025-07-02T11:22:47Z

MatTheCat
Jul 2, 2025

Can you check your probe firewall really matches /probe/liveness (it won’t be the case if a previous firewall’s pattern also matches)?

(Note that you don’t need to configure a firewall as stateless if its security is false.)

If a session is still being created, configure your routes as stateless to see why; you should probably do it anyway.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Symfony 5.4 - Why do I still get `PHPSESSID` cookie for `/probe` paths despite setting firewall `security` to `false` and `stateless` to `true`? #61019

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Symfony 5.4 - Why do I still get PHPSESSID cookie for /probe paths despite setting firewall security to false and stateless to true? #61019

Uh oh!

Uh oh!

renepupil Jul 2, 2025

Replies: 1 comment

Uh oh!

Uh oh!

MatTheCat Jul 2, 2025

Symfony 5.4 - Why do I still get `PHPSESSID` cookie for `/probe` paths despite setting firewall `security` to `false` and `stateless` to `true`? #61019

renepupil
Jul 2, 2025

MatTheCat
Jul 2, 2025