Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Upgrading from PHP5 to PHP7 makes it impossible for us to log in without a preexisting cookie #18574

New issue
Copy link
New issue
Copy link
Closed
Closed
Upgrading from PHP5 to PHP7 makes it impossible for us to log in without a preexisting cookie#18574
Copy link
Labels
BugSecurityStatus: Reviewed
@anesse

Description

@anesse
anesse
opened on Apr 18, 2016
Issue body actions

We run with the configuration option require_previous_session: false,
because our password protected website is accessed by several external
sharepoint crawlers, which do not present their current session cookie
when they log in.

We store sessions in a hosted Memcached service at AWS, which works great.
We use php-memcached to speak with the memcached server.

With PhP5 this setup works fine. We can log in with or without a
preexisting cookie, and sessions are successfully stored in memcached.

With PhP7 we can log in perfectly well with a preexisting cookie, but
not without one, even with identical configuration as we used for PhP5.

When we try to log in without a preexisting cookie on PhP7,NativeSessionStorage.php encounters this error:

PHP Warning:  session_regenerate_id(): Session object destruction failed.
ID: user (path: /var/lib/php/sessions) in 
/var/www/app/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/
Storage/NativeSessionStorage.php on line 216

For some reason session_regenerate_id looks for a session in the file system which will not exist.

Somehow session_regenerate_id() ignores the session storage configuration we
gave Symfony. (Our session storage configuration in php.ini is not set up)

(If we log in with a preexisting cookie, it gets stored in our Memcached server, and everything works fine)

We use Symfony 2.7.11, Fos Userbundle, Apache/2.4.7 (Ubuntu), PHP 7.0.5-2

From security.yml

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                use_referer: true
                require_previous_session: false
            logout:    true
            anonymous: true
            simple_preauth:
                authenticator: frontoffice.security.apikey_authenticator

From app/config/config_prod.yml

    framework:
        router:   { resource: "%kernel.root_dir%/config/routing.yml" }
        profiler: { only_exceptions: true }
        session:
            handler_id: session.handler.memcached
            cookie_lifetime: 346896000 

    services:
        memcached:
            class: Memcached
            arguments:
                persistent_id: %session_memcached_prefix%
            calls:
                - [ addServer, [ %session_memcached_host%, %session_memcached_port% ]]

        session.handler.memcached:
            class:     Symfony\Component\HttpFoundation\Session\Storage\Handler\MemcachedSessionHandler
            arguments: [@memcached, { prefix: %session_memcached_prefix%, expiretime: %session_memcached_expire% }]

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Reviewed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.