Session indirectly started by RequestDataCollector in HttpKernel #25698
Comments
|
Actually that's expected behavior: this page is not cachable - it used the session to be generated. |
|
@nicolas-grekas I don't quite understand, then. As my code didn't explicitly start and doesn't need it, can I disable the session functionality completely or is that required by the profiler to function? |
|
@nicolas-grekas: This is what I was talking about when you started the session refactoring. The framework or it's debug components shouldn't start the session unless it has been started by the developer's code explicitly. |
|
This make a little more sense to me now, so A session is required for the profiler to work (to catch redirects I believe) A session being started (even for an indirect reason such as this) means the response should be considered private, even if this could sometimes be inconvenient. But, do we really need to |
|
Actually, this may be fixable: we should just not use the session to forward the |
It's a tradeoff: using a cookie would mean that both the redirection and the target page will not be cachable (because of the
IMHO that might confuse developers, but there are less hidden moving parts, so this might be a good idea, you've got my 👍 on this one. Depending on the feedback, I'm happy to help going to either direction by PRing the changes. |
|
I think a URL parameter might be the simplest here, because there's no need to really clear it. I can imagine browser extensions or settings potentially causing more problems with cookies too. Happy to help on this when I next get a chance too, if that's the way people want to go. |
|
The obvious problem is the URL parameter is that it requires the user to generates the URL using Symfony's router, and would require the HttpKernel component to know about it... which is not going to work well IMHO. The Cookie option seems to be the only suitable alternative. |
|
See #25719 |
…n (sroze) This PR was merged into the 3.4 branch. Discussion ---------- [HttpKernel] Uses cookies to track the requests redirection | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #25698 | License | MIT | Doc PR | ø In order to track the redirections across requests, we need to have some state. So far, we've been using the session but some users have complained about it (#24774, #24730). The idea is that we don't actually need the session, we can use cookies. It's a tradeoff: using a cookie would mean that both the redirection and the target page will not be cachable (because of the Set-Cookie to set the sf_redirect and the one to clear it). As it's only on dev, it seems fair to say that having no cache (because of `Set-Cookie`s) is a better side effect than starting the session. Commits ------- 83f2579 Uses cookies to track the requests redirection
In any environment where the profiler is enabled, I noticed Cache-control headers were not working correctly. This seems due to this bit of code, marking all requests in sessions as private with a max-age of 0 https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpKernel/EventListener/SaveSessionListener.php#L54 .
I wasn't aware my requests were actually using sessions, and on debugging with help in Slack, it looks like it's started by this RequestDataCollector as it doesn't check whether the session is started or not before inspecting it. Inspecting it starts the session, and overrides my cache headers.
The fix seems to be adding
In https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpKernel/DataCollector/RequestDataCollector.php#L328
*I'm not sure exactly which symfony versions this affects, but it could have been introduced here: 95d0b72#diff-e8f5b14fbfbbeac60fc9f3abe310c3b0 . Does this commit need reverting or changing, or am I misunderstanding something?The text was updated successfully, but these errors were encountered: