symfony icon indicating copy to clipboard operation
symfony copied to clipboard
verified publisher icon symfony

Session started on several points at each request

Open DemigodCode opened this issue 3 years ago • 1 comments

Symfony version(s) affected

6.1.3

Description

If you are using the foshttpcachebundle, there is a problem regarding the cache header which occurs if a firewall is active.

The cache header is manipulated onResponseEvent in the AbstractSessionListener. The AbstractSessionListener skips the autoCacheControl and cookie logic, if no session is started, which is correct in my opinion.

But the session is started by the firewall and authenticator logic on each request, cause ->hasSession() is not called with true as parameter and returns true as result. Even if the session is not started. That leads to getSession() calls which start the session. The hasPreviousSession method of the Request class also calls hasSession() without true, which is wrong in my opinion.

So there are in the end some files which start the session:

  • Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage When calling the request_stack->getSession() which also calls hasSession() without true
  • Symfony\Component\Security\Http\Firewall\ContextListener Calls hasPreviousSession on Request and also hasSession() without using true

Maybe there are more classes which start the session unexpectedly.

How to reproduce

As far as I can say, it should be enough to configure a firewall, add the foshttpcachebundle and try to configure the cache in a controller.

Possible Solution

At least the hasSession()-calls listed in the description should be made with "true" as argument.

Additional Context

No response

DemigodCode avatar Sep 01 '22 10:09 DemigodCode

At least same problem than this one: https://github.com/symfony/symfony/issues/40540 But now the creation of a session isn't only annoying, It's breaking http caching headers.

DemigodCode avatar Sep 01 '22 10:09 DemigodCode

Hey, thanks for your report! There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

carsonbot avatar Mar 03 '23 13:03 carsonbot

Just a quick reminder to make a comment on this. If I don't hear anything I'll close this.

carsonbot avatar Mar 17 '23 13:03 carsonbot

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!

carsonbot avatar May 03 '23 11:05 carsonbot