[Session] Do not start the session unless it is (or has been) written to #6388
Conversation
| * @param SessionBagInterface $realBag | ||
| */ | ||
| public function __construct(EmptyStorageInterface $storage, | ||
| SessionBagInterface $realBag) |
There was a problem hiding this comment.
Please keep the signature on one line
|
I am sorry but I'm -1 on this PR. I've procrastinated a lot about replying. The PR is extremely convoluted with bags having to know about sessions and each bag having to be proxied. Bags themselves, should not be starting the session. It's full of code smell. It introduces a BC break by adding methods to an interface, which I am also not in favor of. (the PR summary text incorrectly say BC break "no"). I've not had enough time to really devote to looking at other possibilities but this is definitely not it, imo. Sorry. |
|
Why do you take the principal stand that bags should not be starting the session? I did not regard adding methods to an internal interface to be a BC break. But I guess you are right, it is technically a BC break, even though I think it will pass by unnoticed by most of the application programmers that is using symfony. So I have updated the description in the PR summary text. |
|
@Drak, if you do not like the session to be started in the bags, may be you like better option 3 that I wrote on the original bug issue: '3'. Leave the bags as they are, and delay the start of the session until just before the response is about to be sendt. Then a new response event listner has to be created that checks if anything has been written to any session bag, and start the session if that is the case. I do not know if that will be any cleaner code, because then the session stuff has to have its own response event listener, and then the session code will not be independent from the rest of symfony. |
|
BTW this is quite an important feature for high load websites |
|
@Drak could you help out making this a better PR? It's the second time I've seen tickets like #6917 that rise this problem. And I think we can all agree with what @lsmith said about being a problem for sites with high load. Do you think you could help us out with some ideas on how to do this, the proper way? /cc @fabpot |
|
I may not be able to answer well until the weekend or just after. |
|
No it won't be in 2.3. New features cannot be added in it anymore as we already froze them. |
|
@stof with all due respect this is something that appeared several times in the past and the PR is 5 months old. While it might be a new feature I could also consider this as a bug fix. Do you keep bug fixes out of 2.3 release? Imho this should have been added for 2.3 a long time ago... |
|
@dlsniper better keep the emotion out of this. Fabien has already decided which PRs will be included in 2.3 and that decision is final so there is no point making noise about it. |
|
This is an issue but we need to find the best solution to fix it. Unfortunately, we are not all in agreement with the right thing to do. |
|
FYI, Fabien referenced this particular PR as a reference to what ticket #6036 talks about. There is no promise of anything being merged at all. Just that he'd look at it. He has since decided, regardless of whether you think this is a bug or a feature, that the issue will not be addressed until post 2.3 |
|
Post 2.3 means 2.4? Or 2.3.X? Ok guys, either way thanks for looking at it, keep up the good work. For anyone else reading: Meanwhile just put all your authenticated routes under a prefix like "/user", that's what I do and it works. |
|
@disposable-ksa98 As this PR contains a BC break, it has absolutely no chance to be included in a 2.3.x bugfix release |
|
It is only a BC break because a method has been added to the Symfony\Component\HttpFoundation\Session\Storage\SessionStorageInterface |
|
We should continue the discussion on issue #6036 to find a resolution to this. I have made my comments there, but no answer seems to be coming. |
|
I'm not sure this was the case when I first reported the issue and tested it in 2.2.?... But now, in 2.3.1, the toolbar is creating a session too. So remember to disable it in config_dev.php when debugging this issue. |
|
@disposable-ksa98 afaik the toolbar requires a session because it displays the session bags and metadata. If this is not the intended behaviour you should open a separate issue for it. |
|
Since four years our "solution" to this problem has been to use the |
|
@fabpot @nicolas-grekas Do you want me to start work on this PR again? Have you decided if this will go into symfony soon? |
|
I might take over as it would be great to have this in 3.4. |
Correct.
I don't understand what you mean. Can you elaborate on that?
Starting a session when there is no session cookie on the request will result in a cookie being created via the response. Responses with the Your skepticism regarding cacheability of responses with |
|
Hi @nicolas-grekas Thank you for picking up this. If you want any help from me, just tell me. Also, just wanted to mention ticket #12325 that has useful analysis/info about this. |
|
There is an issue: if something is written to the session after the headers have been sent to the client, then we'll introduce a bug, isn't it? |
|
Good spot @nicolas-grekas. If we change Symfony to require an explicit usage of sessions instead of the existing "by default" usage, it needs to happen on 4.0 or a lot of applications would potentially be broken (in a not necessarily easy way to debug) while going to 3.4. |
|
It will only be a bug if the application programmer before used Here is my reasons that we do not necessarily need to consider this to be a backwards compatibility:
|
|
Fortunately, HttpKernel saves the session before calling |
|
Hi @nicolas-grekas I am afraid you have lost me here. Why is it important that the HttpKernel saves the session before it calls |
|
You wrote "Could be better to take a hash on ready, then decide on save. Was this approach already tried?" You have to explain more what you mean, I did not understand what you meant by that first sentence. |
|
@TerjeBr let me try to translate Nico's thoughts.
Symfony uses the
I guess the idea is that instead of "detecting" set, clear and such session changes, wouldn't it be better to "flush" the session (my words for his "decide on flush") based on a hash of the session content - or similar -. Not sure I see the value here @nicolas-grekas as this issue is as far as I understood only for non-already initialised sessions; therefore it's only when we start putting something in it 🤔 |
|
@sroze thanks :) 1st point perfectly translated :) For the 2nd point, the idea is to fix several issues at once with a simpler approach: instead of requiring a proxy for bags to track "sets", we could track only the data itself:
(I don't know the feasibility of this yet.) |
This may not be a good idea. It kind of forces you to either write code yourself to "kill" the session cookie, that will depend on the inner workings of the session handler you are using, or delegate it to the session handlers by adding some method to the session interface. There may be many types of session classes, and users may have written their own session storage classes to replace the standard symfony ones. Sessions may be stored in memory (for testing), in files, in database, write to queues or what not. That is why I added the |
|
You should reopen this, since #24523 does not solve the problem. |
|
Ok, #24523 does address this now. So this can be closed. |
…s-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [HttpFoundation] Make sessions secure and lazy | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | not yet | Fixed tickets | #6388, #6036, #12375, #12325 | License | MIT | Doc PR | - The `SessionUpdateTimestampHandlerInterface` (new to PHP 7.0) is mostly undocumented, and just not implemented anywhere. Yet, it's required to implement session fixation preventions and lazy write in userland session handlers (there is https://wiki.php.net/rfc/session-read_only-lazy_write which describes the behavior.) By implementing it, we would make Symfony session handling much better and stronger. Meanwhile, doing some cookie headers management, this also gives the opportunity to fix the "don't start if session is only read issue". So, here we are for the general idea. Now needs more (and green) tests, and review of course. Commits ------- 347939c [HttpFoundation] Make sessions secure and lazy
Bug fix: no
Feature addition: yes
Backwards compatibility break: yes
Symfony2 tests pass: yes
Fixes the following tickets: #6036
License of the code: MIT
The session->get (and the like functions) should only start the session in the current request if the session had already been started in a previous request.