[FrameworkBundle][HttpKernel] Restrict stateless reporting to exception only #36321
Conversation
bf3ee5d to
369872a
Compare
|
I was wondering if we shouldn't rename "debug" to "strict". |
|
I like the strict idea. Maybe we could add a |
|
yes, a config entry looks like an idea to consider to me |
Even better yes, I'll give a try |
369872a to
2d20edb
Compare
|
With this implementation, you'll have the following configuration available: session:
strict_stateless: trueWith default configuration to |
src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
Outdated
Show resolved
Hide resolved
2d20edb to
3f38bdf
Compare
|
Thanks for creating this PR. The thing I don't like about the current implementation is that if (true === $request->attributes->get('stateless')) {
$response->setSharedMaxAge(3600);
}The problem is that, if the route uses the session, you may be caching a page with private information and serving it to anyone. That may be a very serious problem. I don't like the idea of making this behavior configurable either. You said you weren't going to use the session ... so if you use it by mistake, the application should fail. I think the transition will be OK, because developers will see the exceptions locally and fix them. So, in the remote case that you use the session in production when you shouldn't, I think that throwing an exception is better than silencing this error. |
How can this happen? That's not possible to me, we have a mechanism that prevents it already. We know by experience that it's very easy to use the session by mistake. For ppl that inadvertently render() a controller that uses the session, would they prefer a broken prod, or an automatic "cache-control: private"? The current way (since always) is the 2nd option and this should remain to me. With a line in the logs ftw. In dev, sure, I want an exception. |
|
After discussing privately with Nicolas ... my main concern is now gone. In the previous example, Symfony will set "cache private" automatically because the session was used, so it will ignore our "smaxage" setting. So, can anyone spot another issue for using the session in a controller that said that it was not going to use the session? Thanks! |
|
Shall we close this PR then? One less option FTW. Here is an excerpt of our conversation for the record: Q:
A:
Q:
A:
|
|
IMHO, some Symfony users may want to actually throw an exception even on production. In this way they'll be a hundred percent sure that session isn't used. |
|
@mtarld my stand:
|
|
Fair enough. So if it shouldn't be configurable, we can close this PR I guess. |
This PR is related to #35732 which is reporting session usage when stateless is specified.
In debug mode, it throws an
UnexpectedSessionUsageExceptionwhereas in "no debug mode", it only logs that session is unexpectedly used.The current PR proposes to replace the log by an exception in the "no debug mode".
In that way, if session is unexpectedly used in production mode, it will throw an exception and prevent more serious problems such as serving a cached page with personal data.
WDYT ?