I can't find any reason why this was not originally implemented. I mean - I think it was just an oversight, as you mentioned in #13668.

A) Here is a blame on the fact that session.use_cookies is set to 1 - it just says it's a sensible default: 39526df#diff-ed43f01e0d282653013b89d059ee6092R91

B) And use_cookies is listed as a valid option for the class: https://github.com/symfony/symfony/blob/2.8/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php#L312

@derrabus does/did this patch accomplish what you needed (i.e. sessions without a cookie being set)? If so, 👍 from me.

And sorry for the delay @derrabus :)

Thanks for your answer, @weaverryan. Yes, I've tested the patch back then with our codebase and it worked. Our project currently uses the workaround I mentioned in #13668 which works as good, but future maintenance will certainly be easier if this patch gets merged.

👍 and I think it's safe to merge in 2.3. But could also be seen as a new feature.

Some options are not exposed on purpose I guess like http://php.net/manual/en/session.configuration.php#ini.session.use-trans-sid which should not be used. But disabling cookies for manual session initialization in an API seems sensible.

@derrabus you set the session id based on the HTTP header and then call session start() right to get this working?

It is not an oversight. I consciously did not include use_sessions in the configuration back then.

If we were to support it, it's definitely a new feature for 2.8.

@Tobion Yes, more or less like this.

$session = $request->getSession();
$sid = $this->extractSid($request->headers->get('My-Header'));
$session->setId($sid);
$session->start();

@fabpot In that case, I will rebase my patch against the 2.8 branch.

Please see #15123 for a patch against 2.8.