Skip to content

[HttpKernel] Uses cookies to track the requests redirection #25719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 8, 2018
Merged

[HttpKernel] Uses cookies to track the requests redirection #25719

merged 1 commit into from
Jan 8, 2018

Conversation

sroze
Copy link
Contributor

@sroze sroze commented Jan 8, 2018

Q A
Branch? 3.4
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #25698
License MIT
Doc PR ø

In order to track the redirections across requests, we need to have some state. So far, we've been using the session but some users have complained about it (#24774, #24730). The idea is that we don't actually need the session, we can use cookies.

It's a tradeoff: using a cookie would mean that both the redirection and the target page will not be cachable (because of the Set-Cookie to set the sf_redirect and the one to clear it).

As it's only on dev, it seems fair to say that having no cache (because of Set-Cookies) is a better side effect than starting the session.

@sroze sroze mentioned this pull request Jan 8, 2018
Closed
@stof
Copy link
Member

stof commented Jan 8, 2018

Well, solving a complain about one page being uncachable by keeping it uncachable for a different reason does not seem to solve it.

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Jan 8, 2018
edited
Loading

@stof at least this would make it explicit about why this is not cached, and also would prevent messing up with users' Cache-Control headers. So far better IMHO.

@nicolas-grekas nicolas-grekas added this to the 3.4 milestone Jan 8, 2018
@sroze
Copy link
Contributor Author

sroze commented Jan 8, 2018

Yup, @nicolas-grekas' point was my reasoning behind it. Note that Travis' error is unrelated.

@stof
Copy link
Member

stof commented Jan 8, 2018

Looks good to me then

@fabpot
Copy link
Member

fabpot commented Jan 8, 2018

Thank you @sroze.

@fabpot fabpot merged commit 83f2579 into symfony:3.4 Jan 8, 2018
fabpot added a commit that referenced this pull request Jan 8, 2018
@fabpot
bug #25719 [HttpKernel] Uses cookies to track the requests redirectio…
5f05774 
…n (sroze)

This PR was merged into the 3.4 branch.

Discussion
----------

[HttpKernel] Uses cookies to track the requests redirection

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #25698
| License       | MIT
| Doc PR        | ø

In order to track the redirections across requests, we need to have some state. So far, we've been using the session but some users have complained about it (#24774, #24730). The idea is that we don't actually need the session, we can use cookies.

It's a tradeoff: using a cookie would mean that both the redirection and the target page will not be cachable (because of the Set-Cookie to set the sf_redirect and the one to clear it).

As it's only on dev, it seems fair to say that having no cache (because of `Set-Cookie`s) is a better side effect than starting the session.

Commits
-------

83f2579 Uses cookies to track the requests redirection
@sroze sroze deleted the uses-cookies-to-track-redirections branch January 8, 2018 18:53
@sroze sroze mentioned this pull request Jan 8, 2018
Merged
fabpot added a commit that referenced this pull request Jan 10, 2018
@fabpot
minor #25720 [HttpKernel] Add tests for request collector and cookie …
8ab89ce 
…redirection (sroze)

This PR was merged into the 3.4 branch.

Discussion
----------

[HttpKernel] Add tests for request collector and cookie redirection

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes (#25719)
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        | ø

Not that I felt bad doing a PR without tests (#25719) but this one adds tests to be sure we stabilize this cookie-based redirection.

Commits
-------

7b4f5a1 Add tests for the HttpKernel request collector and redirection via cookies
This was referenced Jan 29, 2018
Merged
Merged
@adamwojs adamwojs mentioned this pull request Feb 1, 2018
Closed
2 tasks
@lookitsjonno
Copy link

This PR discloses the file system structure to the browser which isn't great in terms of security.

@nicolas-grekas
Copy link
Member

The profiler discloses way more info than just this cookie. It's always been flagged as FOR DEV ONLY.

@lookitsjonno
Copy link

The profiler discloses way more info than just this cookie. It's always been flagged as FOR DEV ONLY.

The folder structure is disclosed in production with profiler disabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@stof stof stof approved these changes

Assignees
No one assigned
Labels
Bug HttpKernel Status: Reviewed
Projects
None yet
Milestone
3.4
Development

Successfully merging this pull request may close these issues.
6 participants
@sroze @stof @nicolas-grekas @fabpot @lookitsjonno @carsonbot