Symfony2: Stateless Authentication set to true, session still being created
Solution 1
Update: With #2200 (Symfony 2.1) the configuration option framework.session.auto_start
doesn't exists anymore. The session now always starts on demand as long as the php-ini
-settings are appropiate.
"stateless authentication" means, that it doesn't use sessions for authentication, but this does not mean, that there will be no session at all. Especially with
framework:
session:
auto_start: true
there will always be an active session
Also note the notice on the page you have linked
If you use a form login, Symfony2 will create a cookie even if you set stateless to true.
Solution 2
Just in case it helps anyone else who is struggling with this "Symfony2 always seems to start a session, even if PHP has auto-start set to 0 and apparently Symfony2 is configured to not auto start sessions"...
I found that the code I had for displaying flash messages (if they existed) was in fact starting a session if it didn't exist - on every page.
I had:
{% for type, flashMessages in app.session.flashbag.all() %}
{% for flashMessage in flashMessages %}
<div class="alert alert-{{ type }}">
{{ flashMessage }}
</div>
{% endfor %}
{% endfor %}
and the process of asking for the flashbag on the session object, auto starts the session if it doesn't yet exist.
If I wrap the code block above in:
{% if app.session.started %}
...
{%endif%}
the problem goes away.
This was causing a lot of unnecessary performance overhead - because the unnecessary setting of the PHP Session cookie meant my caching strategy for non-logged in pages was broken.
Hope this helps
Otto Yiu
Updated on June 04, 2022Comments
-
Otto Yiu almost 2 years
I followed http://symfony.com/doc/current/book/security.html#stateless-authentication and set the flag to true. However, a session is still being created. I'm currently using PdoSessionStorage for storing the sessions if that makes any differences.
firewalls: api_area: pattern: ^/api/ stateless: true http_basic: realm: "RESTful API"
Any help would be appreciated.
-
Otto Yiu about 12 yearsI have auto_start set to false for both php.ini and in my config.yml. I'm also using basic http authentication for this particular context area. My only question is that, if authentication is not reliant on the session at all - is there any side effects for having a session in the first place (other than take up entries in my pdo storage?) P.S. on the same page, it says: "no cookie will be ever created by Symfony2" with that flag set
-
flu over 9 yearsYou could use the
NullSessionHandler
to get rid of sessions without bothering about your code. Its FQN isSymfony\Component\HttpFoundation\Session\Storage\Handler\NullSessionHandler
and you can see how to use a custom session handlere here: Symfony Cookbook: How to Use PdoSessionHandler to Store Sessions in the Database. Simply replace thesession.handler.pdo
definition with something likesession.handler.null
using the above mentioned class. -
skonsoft about 9 yearsthis solution is deprecated !
-
COil over 6 yearsDidn't know about
app.session.started
in the doc it is said to useapp.request.hasPreviousSession
. symfony.com/doc/current/components/…