-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HttpFoundation] MongoDbSessionHandler::read() now checks for valid session age #13911
Conversation
Initial PR was on 2.7: Conflicts: src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MongoDbSessionHandler.php src/Symfony/Component/HttpFoundation/Tests/Session/Storage/Handler/MongoDbSessionHandlerTest.php
Thank you @bzikarsky. |
…for valid session age (bzikarsky) This PR was squashed before being merged into the 2.3 branch (closes #13911). Discussion ---------- [HttpFoundation] MongoDbSessionHandler::read() now checks for valid session age This PR is a follow-up to #12516 and replaces the old one. | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | no | Fixed tickets | - | License | MIT | Doc PR | TODO As discussed there: Sessions which are older than GC age should never be read. This PR adds the expiry-datetime on session-write and changes session-read and session-gc accordingly. We still need to update the documentation with some clarifications, as described here: - #12516 (comment) - #12516 (comment) My experience with the Symfony Docs from a developer perspective is very limited, so help would be very appreciated. Commits ------- 8289ec3 [HttpFoundation] MongoDbSessionHandler::read() now checks for valid session age
Approach looks ok. But to me this seems to be a BC break. Old entries don't have the expiry field and thus GC doesn't work for them. Or am I missing something? |
You are right, currently old (pre-patch) sessions wouldn't even be cleaned up. No one thought of this yet. Oh well. We can now fix: a) only b) c) I'd go with a) personally. It's very lightweight and I think a framework upgrade allows for sessions to be invalidated. What do you think? (/cc @jmikola) |
My understanding is that all three options would require For (b) and (c), which use the same That said, I'm in favor of (a). If we must use |
This PR is a follow-up to #12516 and replaces the old one.
As discussed there: Sessions which are older than GC age should never be read.
This PR adds the expiry-datetime on session-write and changes session-read and session-gc accordingly.
We still need to update the documentation with some clarifications, as described here:
My experience with the Symfony Docs from a developer perspective is very limited, so help would be very appreciated.