Sessions are always started for anonymous users, unnessesarily. #6917
Comments
|
Hi, does #6388 apply to your case? I mean, if you patch it, will it solve the problem? |
|
I'll check it out, thanks. |
|
@fabpot any chance of just getting a ruling on whether or not this is actually a bug? |
|
This is indeed a bug that seems to have been introduced in #2414. |
|
@bendavies did you tried the patch I mentioned to see if it fix this issue? If so, then maybe it could be reviewed again and decided upon then. |
|
@dlsniper sorry, didn't get around to it. Trying now. |
|
@dlsniper yes, your patch works. |
|
@bendavies not my patch but glad it helps. You should watch the discussion there before applying it to production code. Things might change in the future. |
|
This fix to I'm completely unfamiliar with this code so would need someone familiar to verify. @fabpot ? |
|
Does #6964 fixes this issue? |
|
Indeed! |
fabpot
added a commit
to fabpot/symfony
that referenced
this issue
Feb 4, 2013
fabpot
added a commit
that referenced
this issue
Feb 4, 2013
This PR was merged into the 2.1 branch. Commits ------- 8ca00c5 [Security] fixed session creation when none is needed (closes #6917) Discussion ---------- [Security] fixed session creation when none is needed (closes #6917) | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #6917 | License | MIT | Doc PR | n/a --------------------------------------------------------------------------- by drak at 2013-02-04T16:24:49Z That looks good. Maybe we need a test for this logic to prevent any regression in the future? --------------------------------------------------------------------------- by bendavies at 2013-02-04T16:30:38Z Yep, this was exactly what i tried locally, but really wasn't familiar enough with it to be confident enough to submit it as a fix. Works for me! --------------------------------------------------------------------------- by bendavies at 2013-02-04T17:19:32Z A few test failures which were added by the breaking PR #2414 in the first place. --------------------------------------------------------------------------- by fabpot at 2013-02-04T18:00:31Z I've fixed the tests which now really test that the session is not started.
fabpot
added a commit
that referenced
this issue
Feb 7, 2013
* 2.2: [HttpFoundation] fixed Request::create() method [HttpKernel] fixed the creation of the Profiler directory [HttpKernel] fixed the hinclude fragment renderer when the template is empty bumped Symfony version to 2.2.0-RC2-DEV [DependencyInjection] enhanced some error messages [FrameworkBundle] fixed typo fixed typo tweaked previous merge [Security] fixed interface implementation (closes #6974) Add "'property_path' => false" deprecation message for forms fixed CS Added BCrypt password encoder. updated VERSION for 2.2.0-RC1 Removed underscores from test method names to be consistent with other components. [Security] fixed session creation when none is needed (closes #6917) [FrameworkBundle] removed obsolete comment (see 2e356c1) Micro-optimization [FrameworkBundle] removed extra whitespaces [Security] renamed Constraint namespace to Constraints for validator classes in order to be consistent with the whole current validator API. [FrameworkBundle] fixed wrong indentation on route debug output
igorw
added a commit
to igorw/symfony
that referenced
this issue
Feb 7, 2013
…ainer-2.1 * upstream/2.1: (2632 commits) [HttpKernel] fixed the creation of the Profiler directory [Security] fixed session creation when none is needed (closes symfony#6917) [FrameworkBundle] removed obsolete comment (see 2e356c1) Correct comment in NativeSessionStorage regarding session.save_handler [Yaml] fixed wrong merge (indentation default is 4 as of 2.1) Fixed missing class argument when throwing exception [Security] Add PHPDoc to AuthenticationEvents Fix typos in README Added an error message in the DebugClassLoader when using / instead of \. KNOWN_ISSUES with php 5.3.16 bumped Symfony version to 2.1.8-DEV updated VERSION for 2.1.7 updated CHANGELOG for 2.1.7 fixed CS [Process] Fix docblocks, remove `return` from `PhpProcess#start()` as parent returns nothing, cleaned up `ExecutableFinder` fixes a bug when output/error output contains a % character [Profiler] [Redis] Fix sort of profiler rows. Removed underscores from test method names to be consistent with other components. Fix version_compare() calls for PHP 5.5. Handle the deprecation of IntlDateFormatter::setTimeZoneId() in PHP 5.5. ... Conflicts: tests/Symfony/Tests/Component/DependencyInjection/Dumper/GraphvizDumperTest.php
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It appears that Symfony always starts a session for anonymous users, even though it may not be required.
The offending line appears to be
symfony/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
Line 125 in ef5300d
which triggers a session start.
This makes caching responses on Vary: Cookie pretty badly performing, as every new anonymous visitor is getting a new and unique php session id cookie and will result in a cache miss.
Obviously the preference would be that a session is not started for anonymous users unless absolutely necessary, thus triggering far more cache hits for Vary: Cookie response caching.
Apologies if my diagnoses or logic is completely wrong.
/ping @Drak @schmittjoh @lsmith77
The text was updated successfully, but these errors were encountered: