-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Mark the request as _stateless if the firewall used is stateless #40372
Comments
Thank you for this suggestion. |
Still relevant, will see if I can work on a patch. |
Patch welcome indeeded :) |
Thank you for this suggestion. |
fabpot
added a commit
that referenced
this issue
Dec 18, 2022
…s stateless (alamirault) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- [SecurityBundle] Set request stateless when firewall is stateless | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | Fix #40372 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> Automatically add `_stateless` attribute to the request when firewall is stateless Commits ------- ce458c6 [SecurityBundle] Set request stateless when firewall is stateless
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
As of 5.1, routes can be marked stateless which is a great addition. It occurred to me that if a firewall is configured to be stateless, the Request could also automatically receive the stateless attribute if it matches the firewall config.
Example
Security config example:
In this case, requests to the
api.example.org
should get the _stateless attribute automatically, so we get warned if any API usage has a session started.Using stateless routes in this case is not strictly possible as we have routes usable on both api and regular domain, and they do make use of sessions for user authentication on the regular domain, but not on the API one.
I for now fixed this with a request listener setting the attribute myself, but it would be nice if the framework took care of it.
The text was updated successfully, but these errors were encountered: