Skip to content

[WIP] [Security] Session concurrency control #12009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 16 commits into from
Closed

[WIP] [Security] Session concurrency control #12009

wants to merge 16 commits into from

Conversation

ajgarlag
Copy link
Contributor

Q A
Bug fix? no
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #7845
License MIT
Doc PR symfony/symfony-docs#4440

This PR is based on #786 by @paschke. The most important changes from this PR are listed below:

  • No change is done in Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface to maintain BC.
  • The SQL for the upsert in Symfony\Bridge\Doctrine\Security\SessionRegistry\SessionRegistryStorage is borrowed from Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler
  • A new Symfony\Component\Security\Http\Session\CompositeSessionAuthenticationStrategy class exits to wrap the actual SessionAuthenticationStrategy, and to split the concurrency control in two steps: the first one checks the concurrency, the last one registers the session information in the registry.
  • The new configuration parameter firewalls.secured_area.session_concurrency.error_if_maximum_exceeded allows you to configure the default behaviour when session concurrency is detected: to avoid a new login, or to expire the oldest sessions.
  • The Symfony\Component\Security\Http\Firewall\ConcurrentSessionListener is renamed to Symfony\Component\Security\Http\Firewall\ExpiredSessionListener
  • We have some unit and functional tests now.

@ajgarlag ajgarlag mentioned this pull request Sep 24, 2014
Closed
stof
stof reviewed Sep 25, 2014
View reviewed changes
src/Symfony/Bridge/Doctrine/Security/SessionRegistry/SessionRegistryStorage.php

while ($data = $statement->fetch(\PDO::FETCH_ASSOC)) {
$sessionInformations[] = $this->instantiateSessionInformationFromResultSet($data);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should call $statement->closeCursor() at the end of the iteration to close the cursor so that memory can be reclaimed by the DB driver

@javiereguiluz
Copy link
Member

Impressive work @ajgarlag! It's a really big PR and targets one of the most difficult parts of Symfony.

@ajgarlag
Copy link
Contributor Author

Thanks @javiereguiluz. I've fought with the Security component several times in the past, but I think I will never understand it fully.

Anyway, this PR couldn't be possible without the previous work by @paschke in #786.

@ajgarlag ajgarlag force-pushed the feature/session-concurrency branch from 54e2d41 to fccc826 Compare September 26, 2014 09:10
@ajgarlag ajgarlag force-pushed the feature/session-concurrency branch from 4fda8da to 24c2120 Compare October 27, 2014 09:05
@ajgarlag
Copy link
Contributor Author

ajgarlag commented Nov 4, 2014

@fabpot @schmittjoh Any feedback for this Session Concurrency Control feature is welcome. I'd like to start a Doc PR as a cookbook.

@polc
Copy link
Contributor

polc commented Nov 4, 2014

Hey! look at #12284 for CS !

@ajgarlag ajgarlag force-pushed the feature/session-concurrency branch from 24c2120 to 4ca3a47 Compare November 10, 2014 17:10
@ajgarlag ajgarlag mentioned this pull request Nov 10, 2014
Closed
@ajgarlag ajgarlag changed the title [Security] Session concurrency control [WIP] [Security] Session concurrency control Nov 11, 2014
@ajgarlag ajgarlag mentioned this pull request Dec 2, 2014
Closed
@ajgarlag
Copy link
Contributor Author

ajgarlag commented Dec 2, 2014

After reviewing the PR, I've discovered that two different concerns are involved here, so I've split it in two different PRs. I close this PR in favor of the other ones:

  1. Session expiration: [Security] Idle sessions expiration. #12807
  2. Session concurrency control: [Security] Session concurrency control #12810

@ajgarlag ajgarlag closed this Dec 2, 2014
@ajgarlag ajgarlag mentioned this pull request Oct 11, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ajgarlag @javiereguiluz @polc @stof @romainneutron