Symfony2: Stateless Authentication set to true, session still being created

symfony

10,096

Solution 1

Update: With #2200 (Symfony 2.1) the configuration option framework.session.auto_start doesn't exists anymore. The session now always starts on demand as long as the php-ini-settings are appropiate.

"stateless authentication" means, that it doesn't use sessions for authentication, but this does not mean, that there will be no session at all. Especially with

framework:
    session:
        auto_start: true

there will always be an active session

Also note the notice on the page you have linked

If you use a form login, Symfony2 will create a cookie even if you set stateless to true.

Solution 2

Just in case it helps anyone else who is struggling with this "Symfony2 always seems to start a session, even if PHP has auto-start set to 0 and apparently Symfony2 is configured to not auto start sessions"...

I found that the code I had for displaying flash messages (if they existed) was in fact starting a session if it didn't exist - on every page.

I had:

{% for type, flashMessages in app.session.flashbag.all() %}
   {% for flashMessage in flashMessages %}
     <div class="alert alert-{{ type }}">
       {{ flashMessage }}
     </div>
   {% endfor %}
{% endfor %}

and the process of asking for the flashbag on the session object, auto starts the session if it doesn't yet exist.

If I wrap the code block above in:

{% if app.session.started %}
   ...
{%endif%}

the problem goes away.

This was causing a lot of unnecessary performance overhead - because the unnecessary setting of the PHP Session cookie meant my caching strategy for non-logged in pages was broken.

Hope this helps

10,096

Author by

Otto Yiu

Updated on June 04, 2022

Comments

Otto Yiu almost 2 years
I followed http://symfony.com/doc/current/book/security.html#stateless-authentication and set the flag to true. However, a session is still being created. I'm currently using PdoSessionStorage for storing the sessions if that makes any differences.
```
firewalls:           
    api_area:
        pattern:  ^/api/
        stateless:  true
        http_basic:
            realm: "RESTful API"
```
Any help would be appreciated.
Otto Yiu about 12 years

I have auto_start set to false for both php.ini and in my config.yml. I'm also using basic http authentication for this particular context area. My only question is that, if authentication is not reliant on the session at all - is there any side effects for having a session in the first place (other than take up entries in my pdo storage?) P.S. on the same page, it says: "no cookie will be ever created by Symfony2" with that flag set
flu over 9 years

You could use the NullSessionHandler to get rid of sessions without bothering about your code. Its FQN is Symfony\Component\HttpFoundation\Session\Storage\Handler\Nul‌lSessionHandler and you can see how to use a custom session handlere here: Symfony Cookbook: How to Use PdoSessionHandler to Store Sessions in the Database. Simply replace the session.handler.pdo definition with something like session.handler.null using the above mentioned class.
skonsoft about 9 years

this solution is deprecated !
COil over 6 years

Didn't know about app.session.started in the doc it is said to use app.request.hasPreviousSession. symfony.com/doc/current/components/…