New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecurityBundle] Set request stateless when firewall is stateless #48044
[SecurityBundle] Set request stateless when firewall is stateless #48044
Conversation
Hey! I think @TimoBakx has recently worked with this code. Maybe they can help review this? Cheers! Carsonbot |
Thanks for the PR. |
bbbc0ee
to
6923cb3
Compare
I rebased on branch 6.3 😄 |
This looks wrong to me. Something else than the Firewall could still be using the session. |
@stof Sure, but that's why you want a warning IMO. If the firewall is stateless then you shouldn't rely on the session and opening one will most likely result in data loss or at least inefficiencies in the code as it reads from session storage for nothing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Using the session on a stateless firewall looks like a mistake to me.
This allows spotting it.
6923cb3
to
ce458c6
Compare
Thank you @alamirault. |
I tend to agree with @stof here: while it's true that most stateless firewalls are used with stateless routes, this is not systematic and you can have stateless authentication (using JWT cookies or an HTTP middleware adding trusted headers to the request for example) but still require sessions for some specific pages (for CSRF tokens or flash messages for example). I believe we should at least allow this behavior to be overridable if the current request is already marked as |
…bute is not defined (tucksaun) This PR was merged into the 6.3 branch. Discussion ---------- [SecurityBundle] Set request stateless only if the attribute is not defined | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | yes-ish | New feature? | no | Deprecations? | no | Tickets | #48044 (comment) | License | MIT | Doc PR | n/a The current implementation makes sense for most cases but not for every case as one can have a stateless authentication but still requires sessions. This PR allows setting the request as non-stateless while having a stateless firewall but keeping the new behavior by default. Commits ------- 5f29c8d [SecurityBundle] Set request stateless if the attribute is not already defined
…ed (alamirault) This PR was squashed before being merged into the 6.3 branch. Discussion ---------- Set request stateless only if the attribute is not defined symfony/symfony#48044 added in 6.3 was updated in symfony/symfony#49997. This PR ajust behavior documentation Commits ------- 20ee4d7 Set request stateless only if the attribute is not defined
Our software falls into the case described by @tucksaun, so after updateing to 6.3 it breakes our software. Instead of using the signin methods provided by Symfony, we load the user object from a external server with a session id cookie written by an external SSO software. For this we use a custom, stateless authenticator. We also use Symfony sessions, but not for authetication, which triggers the "Session was used while the request was declared stateless." exception. Is there any way to override this behavior? I found his pull request (symfony/symfony-docs#18195) but I didn't find any documentation what to change in order to get the old behavior |
@johannes85 you can define the request as stateful via the routing: #config/routes/security.yaml
app_logout:
path: /logout
methods: GET
defaults:
_stateless: false // [...]
class DashboardController extends AbstractDashboardController
{
#[Route('/admin', name: 'admin', stateless: false)]
public function index(): Response
// [...] |
Thank you. I wasn't sure if it is that easy or if I do something "not the symfony way" which will break someting else. |
I've opened #50715 for further discussion. |
Automatically add
_stateless
attribute to the request when firewall is stateless