Skip to content

Added a short cookbook about avoiding the automatic start of the sessions #4661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 5, 2015
Merged

Added a short cookbook about avoiding the automatic start of the sessions #4661

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
99781f8
Added a short cookbook about avoiding the automatic start of the sess…
javiereguiluz Dec 16, 2014
0212779
Tweaks and rewordings to improve the article
javiereguiluz Dec 17, 2014
7dd3945
Added the new cookbook article to the global map
javiereguiluz Dec 22, 2014
bbba47a
Added all sugestions made by reviewers
javiereguiluz Feb 5, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cookbook/map.rst.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@
* :doc:`/cookbook/session/sessions_directory`
* :doc:`/cookbook/session/php_bridge`
* (configuration) :doc:`/cookbook/configuration/pdo_session_storage`
* :doc:`/cookbook/session/avoid_session_start`

* **symfony1**

Expand Down
54 changes: 54 additions & 0 deletions cookbook/session/avoid_session_start.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
.. index::
single: Sessions, cookies

Avoid Starting Sessions for Anonymous Users
===========================================

Sessions in Symfony applications are automatically started whenever they are necessary.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

Sessions are automatically started whenever you read, write or even check for the existence
of data in the session. This means that if you need to avoid creating a session cookie for some
users, it can be difficult: you must *completely* avoid accessing the session.

For example, one common problem in this situation involves checking for flash messages, which
are stored in the session. The following code would guarantee that a session is *always* started:

... then the code block

This includes writing in the user's session, creating a flash message and logging
in users. In order to start the session, Symfony creates a cookie which will be
added to every user request.

However, there are other scenarios when a session is started automatically and a
cookie will be created even for anonymous users. First, consider the following
template code commonly used to display flash messages:

.. code-block:: html+jinja

{% for flashMessage in app.session.flashbag.get('notice') %}
<div class="flash-notice">
{{ flashMessage }}
</div>
{% endfor %}

Even if the user is not logged in and even if you haven't created any flash message,
just calling the ``get()`` method of the ``flashbag`` will start a session. This
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

just calling the ``get()`` (or even ``has()``) method...

may hurt your application performance because all users will receive a session
cookie. To avoid this behavior, add a check before trying to access the flash messages:

.. code-block:: html+jinja

{% if app.session.started %}
{% for flashMessage in app.session.flashbag.get('notice') %}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so I don't think this is right - it's a confusing thing:

A) Session::isStarted() checks if the session has been started on this request or not. This is not what we want

B) Request::hasPreviousSession() checks if the user has a session cookie - i.e. if a session was created on a previous request. This is what we do want.

There's a huge confusion over this - I was just reading symfony/symfony#6036 and symfony/symfony#6388 about this - the functionality for this is not right in the core, which is why this is so difficult.

<div class="flash-notice">
{{ flashMessage }}
</div>
{% endfor %}
{% endif %}

Another scenario where session cookies will be automatically sent is when the
requested URL is covered by a firewall, even when anonymous users can access
to that URL:

.. code-block:: yaml

# app/config/security.yml
security:
firewalls:
main:
pattern: ^/
form_login: ~
anonymous: ~
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xml and php are missing


This behavior is caused because in Symfony applications, anonymous users are
technically authenticated.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there any way to avoid this behaviour? or what is the recommended approach for this problem? using a different domainname for logged in users?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a killer, but I'm not sure it's true (yay!). I just tested locally on a 2.6 project, and once I protected against the flash messages (using app.request.hasPreviousSession) and removed some session checks from my user-land code, there was no session cookie.

The security-related session stuff is handled in ContextListener. On kernel.request, it correctly doesn't start the session unless there was a previous session (https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L76). Then, on kernel.response, it correctly doesn't save the token to the session if we're dealing with an AnonymousToken: https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L125

So for me, this note is not valid - but I wonder where you got this idea from @javiereguiluz? Is there something else?

3 changes: 2 additions & 1 deletion cookbook/session/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ Sessions
proxy_examples
locale_sticky_session
sessions_directory
php_bridge
php_bridge
avoid_session_start