Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security/Http] don't require the session to be started when tracking its id #36118

Merged
merged 1 commit into from Mar 18, 2020

Conversation

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Mar 17, 2020

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

$session->getId() returns the empty string when the session is not yet started.
When this happens, the session tracking logic wrongly detects that a new session was created and thus disables HTTP caching.

This fixes the issue by looking at the value of the session cookie instead.
(the case for true is when using MockArraySessionStorage as done in tests)

@nicolas-grekas nicolas-grekas added this to the 4.4 milestone Mar 17, 2020
@nicolas-grekas nicolas-grekas changed the title [Security/Http] ensure session is started when tracking it [Security/Http] don't require the session to be started when tracking its id Mar 17, 2020
@nicolas-grekas nicolas-grekas force-pushed the nicolas-grekas:sec-session-start branch from 19c656e to c39188a Mar 17, 2020
@fabpot
fabpot approved these changes Mar 18, 2020
@fabpot

This comment has been minimized.

Copy link
Member

fabpot commented Mar 18, 2020

Thank you @nicolas-grekas.

@fabpot fabpot merged commit abefccf into symfony:4.4 Mar 18, 2020
2 of 3 checks passed
2 of 3 checks passed
continuous-integration/appveyor/pr AppVeyor build failed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
fabbot.io Your code looks good.
Details
This was referenced Mar 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.