[Session] SessionInterface should have a destroy() method. Currently there is no way to simply destroy a session #12375
Comments
|
Yes I agree. |
|
Working on this |
|
488bc8b is the functionality for this. There are few issues though:
|
|
Also, right now both "set" and "get" methods of session object will start up session. That seems to be logical for the "set", but probably behaviour should be changed for the "get" method. |
|
+1, session needs a bunch of improvements. lets do the necessary BC breaks in symfony 3.0! (add to #11742?) note that session_destroy does not remove the session cookie, only remove all data. but for caching, what we really need is to get rid even of the session cookie. maybe we could call the method and lets not mix this issue with the topic of fixing session behaviour to avoid accidental sessions. that is the topic of #6036 and there is #6388 which has been waiting for feedback for a long time. i hope that #12325 can be pushed forward to clean up session handling in symfony in general. |
|
btw, the workaround i currently use is |
|
What it means "write rfc"? |
|
Oh, juste stumbled upon http://symfony.com/doc/current/reference/configuration/security.html#logout-configuration and the |
|
@geoffrey-brier Do you finally use |
|
@alterphp TBH I didn't implement something as only admin can log in, the impact was not that important. But from what I remember, the delete_cookies would be too complicated to implement as I had a bunch of cookies and I figured that the easiest to do would be to manually clear ALL cookies in a logout success handler. |
|
@geoffrey-brier Thanks. I use a logout success handler too, as I can't make |
…s-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [HttpFoundation] Make sessions secure and lazy | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | not yet | Fixed tickets | #6388, #6036, #12375, #12325 | License | MIT | Doc PR | - The `SessionUpdateTimestampHandlerInterface` (new to PHP 7.0) is mostly undocumented, and just not implemented anywhere. Yet, it's required to implement session fixation preventions and lazy write in userland session handlers (there is https://wiki.php.net/rfc/session-read_only-lazy_write which describes the behavior.) By implementing it, we would make Symfony session handling much better and stronger. Meanwhile, doing some cookie headers management, this also gives the opportunity to fix the "don't start if session is only read issue". So, here we are for the general idea. Now needs more (and green) tests, and review of course. Commits ------- 347939c [HttpFoundation] Make sessions secure and lazy
SessionInterface::invalidate() method starts a new session after invalidating the current one.
When PdoSessionHandler is used, this creates unnecessary db entries.
In my case sessions have long gc_maxlifetime (because they are used by mobile clients), so there is no way to close a session without generating implicit redundant db rows which stays there for a long time.
The text was updated successfully, but these errors were encountered: