New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session Saved Twice #13026
Comments
I agree that it should not happen. But it's not a real problem because the empty session will be deleted by garbage collection. |
Hm...But its not technically empty. It contains serialized texts. So of course the data is meaningless but it still takes up bytes, especially for in memory cache. I do not think garbage collection deletes it. |
It's the default behavior that the session id is regenerated on authentication. The strategy can be configured with the Instead the old session could be deleted. The strategy is evaluated in https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php#L50 |
…laris) This PR was merged into the 2.3 branch. Discussion ---------- [Security] Delete old session on auth strategy migrate | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #13026 | License | MIT | Doc PR | As identified by @austinh in #13026 there are two sessions after authentication, since the previous session is migrated to a new one by ``session_regenerate_id``. This PR ensures the old session is been deleted immediately on migration. I can't see any drawbacks, but if the change would break BC, another approach would be to add a new strategy like ``switch`` to enable instant deletion of the old session. Commits ------- 5dd11e6 [Security] Delete old session on auth strategy migrate
Just tried it. Yes it does! Thank you very much. |
I am not 100% sure if this is a symfony bug because I am using FoSUserBundle, but from my debugging it seems to be a symfony error.
The Symfony Session caller saves two sessions on authentication. One of them is a blank session with an array that looks like an empty _sf2_attributes array, and the other is the actual session. The PHPSESSID cookie is then changed to the new, different session id.
Technically, everything works. I am able to authenticate my users. but my redis cache is double the size it needs to be and Im starting to get short on memory. I want to get rid of these duplicate keys.
I have also tried memcached and file storage ontop of sncRedisBundle. They both also produce double sessions when authenticated. So I do believe it is a symfony issue.
You can see this in the logs by watching for the REDIS commands being logged by SncRedisBundle (the memcache and file storage do not have debug logs)
Here is some examples
As you can see there are two keys being authenticated here:
I can also show you two session files that have the same thing when using the default session File Handler
Two session files. First one contains empty sf_attributes{} and the second the logged in session.
Something changes after "DEBUG - Write SecurityContext in the session " call. That's how far I have narrowed it down (so...not much)
Anyway this can get fixed? or maybe it's something on my end? I'm not so great with Framework internals, so maybe someone can help me out.
The text was updated successfully, but these errors were encountered: