-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set session.cookie_* parameters properly #3423
Conversation
@mvrhov - what does this fix exactly? It looks like a different way of doing the same thing but now there is no default value on |
Like I said in description. $option contains some cookie options and none of them has cookie_ prefix.
Sorry non native speaker an a bit hard to explain, could you ping me in a couple of hours on IRC if this still doesn't make any sense. |
@mvrhov - I wrote some tests for this particular code and I still don't see what this PR fixes. I'll try to catch you on IRC later on but can't guarantee it. |
added test |
@@ -42,6 +42,8 @@ To get the diff between two versions, go to https://github.com/symfony/symfony/c | |||
* added support for placeholders in route defaults and requirements (replaced by the value set in the service container) | |||
* added Filesystem component as a dependency | |||
* added support for hinclude (use ``standalone: 'js'`` in render tag) | |||
* [BC BREAK] following session options: 'lifetime', 'path', 'domain', 'secure', 'httponly' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not really a BC break since the configuration is still read using the old values, it's just updated in the dumped container. What might be nicer is to alter the code so that lifetime
is rewritten to cookie_lifetime
for BC, but that the configfile may also use the updated values as cookie_lifetime
. This way there is still no BC break and there is no magic happening in the background which is always going to give someone a headache down the line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
->beforeNormalization()
would allow to change the keys names (if that's what you are looking for)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would also need to update the FrameworkBundle\Resources\config\schema\symfony-1.0.xsd
I believe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vicb: It's a bit complicated.
- we should support both keys the prefixed one and unprefixed one.
- if both are present in the config prefixed one should take precedence (preferably)? or exception should be thrown
Mark the unprefixed keys as deprecated in the documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm guessing you need to add the keys to the .xsd, and then add the nodes
to
https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php#L161
Just for reference for those reading this ticket, |
if (isset($config[$key])) { | ||
$options[$key] = $config[$key]; | ||
} | ||
} | ||
//drivers requre correct names for cookie options e.g the one with cookie_ prefix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: require
It is relevant. Maybe I'll do the cleanup this PR by forking it if @mvrhov doesn't have time. |
Prefixed following session options: 'lifetime', 'path', 'domain', 'secure', 'httponly' because this results in better session driver code
Fixed the typo and changed the false to ture as reported in comments. I've also rebased. I'll see what I can do about config file change later today. Sorry for the delay, been too busy for the past week. |
I've also done the config part. |
Ok, this should be it. |
// set defaults for certain values | ||
$defaults = array( | ||
'cache_limiter' => '', // disable by default because it's managed by HeaderBag (if used) | ||
'auto_start' => true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is incorrect, auto_start
should be false
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
@fabpot - looks good from my side. |
Commits ------- 471b564 auto_start should be false 6e2a7da Support session cookie options with cookie_ prefix e0fba80 Properly merge session cookie_* parameters Discussion ---------- Set session.cookie_* parameters properly Bug fix: yes Feature addition: no Backwards compatibility break: yes Symfony2 tests pass: yes Fixes the following tickets: / Cookie parameters in $options are not prefixed with cookie_ the same is true for data returned from session_get_cookie_params. I've marked this as BC because the options that get dumped into the container have different name. But I don't think anybody was actually changing them or accessing them in their bundles. P.S. @Drak also desires some credits for this PR as I incorporated some lines written by him in one of the iterations. --------------------------------------------------------------------------- by drak at 2012-02-23T14:24:42Z @mvrhov - what does this fix exactly? It looks like a different way of doing the same thing but now there is no default value on `cookie_httponly`. --------------------------------------------------------------------------- by mvrhov at 2012-02-23T15:09:17Z Like I said in description. $option contains some cookie options and none of them has cookie_ prefix. And this prefix is needed in two cases: - to properly merge defaults and override them with what user set - in a foreach for for proper ini_set Sorry non native speaker an a bit hard to explain, could you ping me in a couple of hours on IRC if this still doesn't make any sense. --------------------------------------------------------------------------- by drak at 2012-02-23T15:29:41Z @mvrhov - I wrote some tests for this particular code and I still don't see what this PR fixes. I'll try to catch you on IRC later on but can't guarantee it. --------------------------------------------------------------------------- by mvrhov at 2012-02-23T16:02:41Z added test --------------------------------------------------------------------------- by drak at 2012-02-24T08:30:51Z Just for reference for those reading this ticket, `session_set_cookie_params()` alters the runtime ini settings it corresponds to see http://docs.php.net/manual/en/function.session-set-cookie-params.php so we agreed to remove the special handling that was present since it is redundant. --------------------------------------------------------------------------- by dlsniper at 2012-02-28T22:19:32Z Hi, Is this patch relevant or not after all? ping @Drak @mvrhov Thanks :) --------------------------------------------------------------------------- by drak at 2012-02-29T03:34:22Z It is relevant. Maybe I'll do the cleanup this PR by forking it if @mvrhov doesn't have time. --------------------------------------------------------------------------- by mvrhov at 2012-02-29T05:40:47Z Fixed the typo and changed the false to ture as reported in comments. I've also rebased. I'll see what I can do about config file change later today. Sorry for the delay, been too busy for the past week. --------------------------------------------------------------------------- by mvrhov at 2012-02-29T08:49:23Z I've also done the config part. --------------------------------------------------------------------------- by mvrhov at 2012-02-29T11:01:14Z Ok, this should be it. --------------------------------------------------------------------------- by drak at 2012-03-01T00:59:16Z @fabpot - looks good from my side.
Bug fix: yes
Feature addition: no
Backwards compatibility break: yes
Symfony2 tests pass: yes
Fixes the following tickets: /
Cookie parameters in $options are not prefixed with cookie_ the same is true for data returned from session_get_cookie_params.
I've marked this as BC because the options that get dumped into the container have different name. But I don't think anybody was actually changing them or accessing them in their bundles.
P.S. @Drak also desires some credits for this PR as I incorporated some lines written by him in one of the iterations.