[HttpFoundation] [RFC] Improve stateless request handling #57502

VincentLanglet · 2024-06-23T16:51:35Z

Description

When a request is flagged as stateless, we're not supposed to use the session.

Still, this was often forgotten and I saw many fixes in Symfony codebase like
#57372
#54742
#51350

I think there is something to improve in other to have easier stateless check and/or integrate the check inside hasSession/getSession.

First, to me, the _attribute seems internal to Symfony and it's not perfect to ask the user to check for

$request->attributes->getBoolean('_stateless')

so I would propose to introduce Request::isStateless which could be done this way 05d4852

Second, since there is an exception/warning checking if the session was used when the request is stateless
cf

symfony/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php

Lines 209 to 219 in c852b8b

    
           if (!$event->getRequest()->attributes->get('_stateless', false)) { 
        
               return; 
        
           } 
        
           if ($this->debug) { 
        
               throw new UnexpectedSessionUsageException('Session was used while the request was declared stateless.'); 
        
           } 
        
           if ($this->container->has('logger')) { 
        
               $this->container->get('logger')->warning('Session was used while the request was declared stateless.'); 
        
           }

,
what about including the isStateless check directly in hasSession and getSession method ?

Example

We could have

public function getSession(): SessionInterface
    {
        if ($this->isStateless()) {
           throw new UnexpectedSessionUsageException('Session is used while the request was declared stateless.');
        }

        $session = $this->session;
        if (!$session instanceof SessionInterface && null !== $session) {
            $this->setSession($session = $session());
        }

        if (null === $session) {
            throw new SessionNotFoundException('Session has not been set.');
        }

        return $session;
    }

and

either hasSession returns false when the request is stateless.
either hasSession returns true and people will have to check hasSession && !isStateless to call getSession.

Of course, this would be introduced in a BC way with

if ($this->isStateless()) {
    trigger_deprecation('symfony/http-foundation', '7.2', 'Accessing the session on a stateless request is deprecated and will throw an exception in next major.');
}

in Symfony 7.

WDYT ? Is there a reason to allowing accessing the session when the request is stateless ?

The text was updated successfully, but these errors were encountered:

94noni · 2024-06-23T20:00:16Z

Indeed as I’ve commented on your pr, i think it make sens to me to expose a more higher public level of this internal data as the attribute _stateless is
And have a more generic and easy/fastforward way to handle request and session if any

gnutix · 2024-06-29T10:07:34Z

I think this discussion relates to this topic as well, so I thought I'd share. : #45025

micheh · 2024-07-27T15:14:06Z

I think it would simplify things a lot if stateless requests would act like the session does not exist, e.g. $request->hasSession() would return false and $request->getSession() would throw an exception that the session is not available in stateless requests.

Otherwise you'd have to always check yourself if the request is stateless (both in the framework itself and in your own code). Some places in the Symfony framework have already been updated to include this check, but there are still some places remaining that are missing this check, resulting in bugs or unexpected behavior. I think there shouldn't be a use case to create/read/update/delete the session if you declare the route/request stateless.

Regardless of this, in my opinion $request->hasSession() is a bit confusing when used without the optional parameter$skipIfUninitialized = true. When using this method with the default $skipIfUninitialized = false, this method will more or less always return true even if there is no session, because the AbstractSessionListener will set the session factory at the beginning of the request. The default $request->hasSession() seems to behave more like a $request->supportsSession(). Therefore I think it would make sense if $request->hasSession() returns false when the request is stateless.

carsonbot · 2025-01-28T13:03:43Z

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?
Every feature is developed by the community.
Perhaps someone would like to try?
You can read how to contribute to get started.

carsonbot · 2025-02-11T13:05:58Z

Could I get a reply or should I close this?

94noni · 2025-02-11T13:25:14Z

perhaps this comment can/must be linked to showcase how ppl can, in their code, handle the fact that there is a session or not
and not rely on new request data to avoid conflict behavior/naming around request stateless and route stateless etc

carsonbot added HttpFoundation RFC R 8000 FC = Request For Comments (proposals about features that you want to be discussed) labels Jun 23, 2024

VincentLanglet mentioned this issue Jun 23, 2024

[HttpKernel][Security] Fix accessing session for stateless request #57372

Merged

This was referenced Jul 27, 2024

[HttpFoundation] Add Request::isStateless method #57852

Closed

[Security] Do not remove existing session on stateless requests #57854

Closed

carsonbot added the Stalled label Jan 28, 2025

carsonbot removed the Stalled label Feb 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[HttpFoundation] [RFC] Improve stateless request handling #57502

[HttpFoundation] [RFC] Improve stateless request handling #57502

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!