8000 Added a short cookbook about avoiding the automatic start of the sessions by javiereguiluz · Pull Request #4661 · symfony/symfony-docs · GitHub
[go: up one dir, main page]
Skip to content

Added a short cookbook about avoiding the automatic start of the sessions #4661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 5, 2015
Merged

Added a short cookbook about avoiding the automatic start of the sessions #4661

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
99781f8
Added a short cookbook about avoiding the automatic start of the sess…
javiereguiluz Dec 16, 2014
0212779
Tweaks and rewordings to improve the article
javiereguiluz Dec 17, 2014
7dd3945
Added the new cookbook article to the global map
javiereguiluz Dec 22, 2014
bbba47a
Added all sugestions made by reviewers
javiereguiluz Feb 5, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Tweaks and rewordings to improve the article
  • Loading branch information
@javiereguiluz
javiereguiluz committed Dec 17, 2014
commit 02127792b2df3eb02ad08f23634aa5f1149d7643
12 changes: 6 additions & 6 deletions cookbook/session/avoid_session_start.rst
View file
Open in desktop
8000
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@
Avoid Starting Sessions for Anonymous Users
===========================================

Sessions in Symfony applications are automatically started when they are necessary.
Sessions in Symfony applications are automatically started whenever they are necessary.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

Sessions are automatically started whenever you read, write or even check for the existence
of data in the session. This means that if you need to avoid creating a session cookie for some
users, it can be difficult: you must *completely* avoid accessing the session.

For example, one common problem in this situation involves checking for flash messages, which
are stored in the session. The following code would guarantee that a session is *always* started:

... then the code block

This includes writing in the user's session, creating a flash message and logging
in users. In order to start the session, Symfony creates a cookie which will be
sent for every request.
added to every user request.

However, there are other scenarios when a session is started and therefore, a
However, there are other scenarios when a session is started automatically and a
cookie will be created even for anonymous users. First, consider the following
code commonly used to display flash messages:
template code commonly used to display flash messages:

.. code-block:: html+jinja

Expand All @@ -37,7 +37,7 @@ cookie. To avoid this behavior, add a check before trying to access the flash me
{% endif %}

Another scenario where session cookies will be automatically sent is when the
requested URL is covered by a firewall, no matter if anonymous users can access
requested URL is covered by a firewall, even when anonymous users can access
to that URL:

.. code-block:: yaml
Expand All @@ -51,4 +51,4 @@ to that URL:
anonymous: ~
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xml and php are missing


This behavior is caused because in Symfony applications, anonymous users are
technically authenticated,.
technically authenticated.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any way to avoid this behaviour? or what is the recommended approach for this problem? using a different domainname for logged in users?

< 631A details-menu class="dropdown-menu dropdown-menu-sw show-more-popover color-fg-default" style="width:185px" src="" preload > Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a killer, but I'm not sure it's true (yay!). I just tested locally on a 2.6 project, and once I protected against the flash messages (using app.request.hasPreviousSession) and removed some session checks from my user-land code, there was no session cookie.

The security-related session stuff is handled in ContextListener. On kernel.request, it correctly doesn't start the session unless there was a previous session (https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L76). Then, on kernel.response, it correctly doesn't save the token to the session if we're dealing with an AnonymousToken: https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L125

So for me, this note is not valid - but I wonder where you got this idea from @javiereguiluz? Is there something else?

0