New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix EZP-21991: UserHash should be cached tied to user session id, not user cookies #720
Conversation
Review ping @andrerom @bdunogier @dpobel @yannickroger @pspanja @gggeek |
} | ||
|
||
/** | ||
* Checks if passed string can be considered as a session name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add something to the effect of "such as would be used in cookies" ?
A bit OT for this PR, but I do not like very much the "isAnonymous" method name, which in fact checks if user has session or not. What if anonymous users do have sessions? |
@gggeek This is indeed OT. Please focus on this PR review 😉 |
Just to clarity, this does not attempt to handle the problem with multiple siteaccesses/sessions, correct? (part 2. of the JIRA issue) I wonder if there is any limit to the cache key length, or if f.e. a checksum could be used instead? |
@joaoinacio Correct. |
@@ -132,7 +132,7 @@ public function generateUserHash( Request $request ) | |||
// We must have a session at that point since we're supposed to be connected, so HTTP_COOKIE must contain session id. | |||
// HTTP_COOKIE header will be used as cache key to store the user hash. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment should be updated I guess
besides the comment thing, +1 |
+1 |
Aside from @dpobel's remark, +1 |
Updated and rebased. |
Fix EZP-21991: UserHash should be cached tied to user session id, not user cookies
https://jira.ez.no/browse/EZP-21991
This patch makes the UserHash cache key to be only bound to the user session id.
Important note
Session cookie path/domain/lifetime issue is voluntarily not addressed here and will be fixed in a different PR.