From 99781f869f09799ec70ca770d7f8c5dbcbc35f01 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Dec 2014 18:30:21 +0100 Subject: [PATCH 1/4] Added a short cookbook about avoiding the automatic start of the sessions --- cookbook/session/avoid_session_start.rst | 54 ++++++++++++++++++++++++ cookbook/session/index.rst | 3 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 cookbook/session/avoid_session_start.rst diff --git a/cookbook/session/avoid_session_start.rst b/cookbook/session/avoid_session_start.rst new file mode 100644 index 00000000000..bdb63ed3d40 --- /dev/null +++ b/cookbook/session/avoid_session_start.rst @@ -0,0 +1,54 @@ +.. index:: + single: Sessions, cookies + +Avoid Starting Sessions for Anonymous Users +=========================================== + +Sessions in Symfony applications are automatically started when they are necessary. +This includes writing in the user's session, creating a flash message and logging +in users. In order to start the session, Symfony creates a cookie which will be +sent for every request. + +However, there are other scenarios when a session is started and therefore, a +cookie will be created even for anonymous users. First, consider the following +code commonly used to display flash messages: + +.. code-block:: html+jinja + + {% for flashMessage in app.session.flashbag.get('notice') %} +
+ {{ flashMessage }} +
+ {% endfor %} + +Even if the user is not logged in and even if you haven't created any flash message, +just calling the ``get()`` method of the ``flashbag`` will start a session. This +may hurt your application performance because all users will receive a session +cookie. To avoid this behavior, add a check before trying to access the flash messages: + +.. code-block:: html+jinja + + {% if app.session.started %} + {% for flashMessage in app.session.flashbag.get('notice') %} +
+ {{ flashMessage }} +
+ {% endfor %} + {% endif %} + +Another scenario where session cookies will be automatically sent is when the +requested URL is covered by a firewall, no matter if anonymous users can access +to that URL: + +.. code-block:: yaml + + # app/config/security.yml + security: + firewalls: + main: + pattern: ^/ + form_login: ~ + anonymous: ~ + +This behavior is caused because in Symfony applications, anonymous users are +technically authenticated,. diff --git a/cookbook/session/index.rst b/cookbook/session/index.rst index 536ad02c3d8..0420126b48e 100644 --- a/cookbook/session/index.rst +++ b/cookbook/session/index.rst @@ -7,4 +7,5 @@ Sessions proxy_examples locale_sticky_session sessions_directory - php_bridge \ No newline at end of file + php_bridge + avoid_session_start \ No newline at end of file From 02127792b2df3eb02ad08f23634aa5f1149d7643 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Wed, 17 Dec 2014 12:21:51 +0100 Subject: [PATCH 2/4] Tweaks and rewordings to improve the article --- cookbook/session/avoid_session_start.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cookbook/session/avoid_session_start.rst b/cookbook/session/avoid_session_start.rst index bdb63ed3d40..c826324c30c 100644 --- a/cookbook/session/avoid_session_start.rst +++ b/cookbook/session/avoid_session_start.rst @@ -4,14 +4,14 @@ Avoid Starting Sessions for Anonymous Users =========================================== -Sessions in Symfony applications are automatically started when they are necessary. +Sessions in Symfony applications are automatically started whenever they are necessary. This includes writing in the user's session, creating a flash message and logging in users. In order to start the session, Symfony creates a cookie which will be -sent for every request. +added to every user request. -However, there are other scenarios when a session is started and therefore, a +However, there are other scenarios when a session is started automatically and a cookie will be created even for anonymous users. First, consider the following -code commonly used to display flash messages: +template code commonly used to display flash messages: .. code-block:: html+jinja @@ -37,7 +37,7 @@ cookie. To avoid this behavior, add a check before trying to access the flash me {% endif %} Another scenario where session cookies will be automatically sent is when the -requested URL is covered by a firewall, no matter if anonymous users can access +requested URL is covered by a firewall, even when anonymous users can access to that URL: .. code-block:: yaml @@ -51,4 +51,4 @@ to that URL: anonymous: ~ This behavior is caused because in Symfony applications, anonymous users are -technically authenticated,. +technically authenticated. From 7dd3945c8c143d60e42ca67f353e2ede4dad04b2 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Mon, 22 Dec 2014 12:33:14 +0100 Subject: [PATCH 3/4] Added the new cookbook article to the global map --- cookbook/map.rst.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbook/map.rst.inc b/cookbook/map.rst.inc index 99498b50a7a..49a65cf8462 100644 --- a/cookbook/map.rst.inc +++ b/cookbook/map.rst.inc @@ -166,6 +166,7 @@ * :doc:`/cookbook/session/sessions_directory` * :doc:`/cookbook/session/php_bridge` * (configuration) :doc:`/cookbook/configuration/pdo_session_storage` + * :doc:`/cookbook/session/avoid_session_start` * **symfony1** From bbba47a56c7f94dbb0a9ebe26ae57196a620eeaf Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 5 Feb 2015 14:42:21 +0100 Subject: [PATCH 4/4] Added all sugestions made by reviewers --- cookbook/session/avoid_session_start.rst | 40 +++++++----------------- 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/cookbook/session/avoid_session_start.rst b/cookbook/session/avoid_session_start.rst index c826324c30c..8736f484ad6 100644 --- a/cookbook/session/avoid_session_start.rst +++ b/cookbook/session/avoid_session_start.rst @@ -4,14 +4,14 @@ Avoid Starting Sessions for Anonymous Users =========================================== -Sessions in Symfony applications are automatically started whenever they are necessary. -This includes writing in the user's session, creating a flash message and logging -in users. In order to start the session, Symfony creates a cookie which will be -added to every user request. +Sessions are automatically started whenever you read, write or even check for the +existence of data in the session. This means that if you need to avoid creating +a session cookie for some users, it can be difficult: you must *completely* avoid +accessing the session. -However, there are other scenarios when a session is started automatically and a -cookie will be created even for anonymous users. First, consider the following -template code commonly used to display flash messages: +For example, one common problem in this situation involves checking for flash +messages, which are stored in the session. The following code would guarantee +that a session is *always* started: .. code-block:: html+jinja @@ -22,33 +22,17 @@ template code commonly used to display flash messages: {% endfor %} Even if the user is not logged in and even if you haven't created any flash message, -just calling the ``get()`` method of the ``flashbag`` will start a session. This -may hurt your application performance because all users will receive a session -cookie. To avoid this behavior, add a check before trying to access the flash messages: +just calling the ``get()`` (or even ``has()``) method of the ``flashbag`` will +start a session. This may hurt your application performance because all users will +receive a session cookie. To avoid this behavior, add a check before trying to +access the flash messages: .. code-block:: html+jinja - {% if app.session.started %} + {% if app.request.hasPreviousSession %} {% for flashMessage in app.session.flashbag.get('notice') %}
{{ flashMessage }}
{% endfor %} {% endif %} - -Another scenario where session cookies will be automatically sent is when the -requested URL is covered by a firewall, even when anonymous users can access -to that URL: - -.. code-block:: yaml - - # app/config/security.yml - security: - firewalls: - main: - pattern: ^/ - form_login: ~ - anonymous: ~ - -This behavior is caused because in Symfony applications, anonymous users are -technically authenticated.