Join GitHub today
[HttpFoundation] Make sessions secure and lazy #24523
By implementing it, we would make Symfony session handling much better and stronger. Meanwhile, doing some cookie headers management, this also gives the opportunity to fix the "don't start if session is only read issue".
So, here we are for the general idea. Now needs more (and green) tests, and review of course.
PR is green and ready. This is a significant improvement over the current session handlers, thanks to this new PHP 7.0 interface.
This adds two main classes:
The rest are related tweaks.
referenced this pull request
Oct 12, 2017
Have you tested this with a full symfony stack?
When a typical symfony SessionBag is empty it is not the empty string, it contains some metadata.
Because of this, this PR will not fix #6388
What about the
Oct 16, 2017
added a commit
this pull request
Oct 16, 2017
@nicolas-grekas what I proposed in #12325 is to not start the session at all until data is set when there is no session cookie in the request. I don't think that it implemented yet. This would avoid generating a session id, starting the session handler etc when you just read session data to then realize nothing is there.
@Tobion from the HTTP pov, the observed behavior is exactly the same. In fact, starting the session has the benefit of sending the appropriate Cache-Control header. If HTTP cacheability is improved by the current change, it means we may not have to care anymore about whether the session is really started or not.