You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The session problems in 5.4.1 prompted me to investigate another issue we noticed with sessions over http:// connections in Symfony 4.4. It seems framework.session.cookie_secure: auto does not work correctly in Symfony 4.4 either. If a session is created in Symfony 4.4, the following response header will be set, even over http:// connections:
Set-Cookie: PHPSESSID=…; path=/; secure; httponly
As you can see the secure flag was set, even though the session was started via an http:// connection and framework.session.cookie_secure is set to auto. For comparison, the response header in Symfony 5.4.0 and soon to be 5.4.2 looks like this:
Set-Cookie: PHPSESSID=…; path=/; httponly
The secure flag is not present, as expected.
How to reproduce
Use symfony/http-kernel: 4.4.35 in your project.
Create a controller that starts the session.
Access the controller via http:// and check the response headers.
Possible Solution
No response
Additional Context
The session still works as far as I can tell, at least problems will not manifest themselves immediately. However, we experienced firewall problems if there already is an active session over http:// with the secure flag set, plus an active login on that session, and a new login attempt is made with the same session and the same scheme (http://), but a different firewall.
The text was updated successfully, but these errors were encountered:
Symfony version(s) affected
4.4.35
Description
The session problems in 5.4.1 prompted me to investigate another issue we noticed with sessions over
http://
connections in Symfony 4.4. It seemsframework.session.cookie_secure: auto
does not work correctly in Symfony 4.4 either. If a session is created in Symfony 4.4, the following response header will be set, even overhttp://
connections:As you can see the
secure
flag was set, even though the session was started via anhttp://
connection andframework.session.cookie_secure
is set toauto
. For comparison, the response header in Symfony 5.4.0 and soon to be 5.4.2 looks like this:The
secure
flag is not present, as expected.How to reproduce
symfony/http-kernel: 4.4.35
in your project.http://
and check the response headers.Possible Solution
No response
Additional Context
The session still works as far as I can tell, at least problems will not manifest themselves immediately. However, we experienced firewall problems if there already is an active session over
http://
with thesecure
flag set, plus an active login on that session, and a new login attempt is made with the same session and the same scheme (http://
), but a different firewall.The text was updated successfully, but these errors were encountered: