8000 Added a short cookbook about avoiding the automatic start of the sessions by javiereguiluz · Pull Request #4661 · symfony/symfony-docs · GitHub
[go: up one dir, main page]
Skip to content

Added a short cookbook about avoiding the automatic start of the sessions #4661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 5, 2015
Merged

Added a short cookbook about avoiding the automatic start of the sessions #4661

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
99781f8
Added a short cookbook about avoiding the automatic start of the sess…
javiereguiluz Dec 16, 2014
0212779
Tweaks and rewordings to improve the article
javiereguiluz Dec 17, 2014
7dd3945
Added the new cookbook article to the global map
javiereguiluz Dec 22, 2014
bbba47a
Added all sugestions made by reviewers
javiereguiluz Feb 5, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Added a short cookbook about avoiding the automatic start of the sess… 
…ions
  • Loading branch information
@javiereguiluz
javiereguiluz committed Dec 16, 2014
commit 99781f869f09799ec70ca770d7f8c5dbcbc35f01 8000
54 changes: 54 additions & 0 deletions cookbook/session/avoid_session_start.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
.. index::
single: Sessions, cookies

Avoid Starting Sessions for Anonymous Users
===========================================

Sessions in Symfony applications are automatically started when they are necessary.
This includes writing in the user's session, creating a flash message and logging
in users. In order to start the session, Symfony creates a cookie which will be
sent for every request.

However, there are other scenarios when a session is started and therefore, a
cookie will be created even for anonymous users. First, consider the following
code commonly used to display flash messages:

.. code-block:: html+jinja

{% for flashMessage in app.session.flashbag.get('notice') %}
<div class="flash-notice">
{{ flashMessage }}
</div>
{% endfor %}

Even if the user is not logged in and even if you haven't created any flash message,
just calling the ``get()`` method of the ``flashbag`` will start a session. This
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

just calling the ``get()`` (or even ``has()``) method...

may hurt your application performance because all users will receive a session
cookie. To avoid this behavior, add a check before trying to access the flash messages:

.. code-block:: html+jinja

{% if app.session.started %}
{% for flashMessage in app.session.flashbag.get('notice') %}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so I don't think this is right - it's a confusing thing:

A) Session::isStarted() checks if the session has been started on this request or not. This is not what we want

B) Request::hasPreviousSession() checks if the user has a session cookie - i.e. if a session was created on a previous request. This is what we do want.

There's a huge confusion over this - I was just reading symfony/symfony#6036 and symfony/symfony#6388 about this - the functionality for this is not right in the core, which is why this is so difficult.

<div class="flash-notice">
{{ flashMessage }}
</div>
{% endfor %}
{% endif %}

Another scenario where session cookies will be automatically sent is when the
requested URL is covered by a firewall, no matter if anonymous users can access
to that URL:

.. code-block:: yaml

# app/config/security.yml
security:
firewalls:
main:
pattern: ^/
form_login: ~
anonymous: ~
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xml and php are missing


This behavior is caused because in Symfony applications, anonymous users are
technically authenticated,.
3 changes: 2 additions & 1 deletion cookbook/session/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ Sessions
proxy_examples
locale_sticky_session
sessions_directory
php_bridge
php_bridge
avoid_session_start
0