Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Session id/cookie keeps being generated if session is empty #44616

New issue
Copy link
New issue
Copy link
Closed
Closed
Session id/cookie keeps being generated if session is empty#44616
Copy link
Labels
BugStatus: Needs Review
@johannes85

Description

@johannes85
johannes85
opened on Dec 14, 2021
Issue body actions

Symfony version(s) affected

5.4.1, 6.0.0, 6.0.1

Description

When sessions are enabled, and read for example by the "app.flashes('notice')" twig extension Symfony keeps creating and deleting session cookies.

Call1:
Set-Cookie PHPSESSID=2dgen0hsf54p1bkoajfaigcm9e; path=/; httponly; samesite=lax

Call2:
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly; SameSite=lax
Set-Cookie: PHPSESSID=deleted; expires=Mon, 14-Dec-2020 13:58:11 GMT; Max-Age=0; path=/; httponly; samesite=lax

Call3:
Set-Cookie: PHPSESSID=6d79a702tkpjhkbu0bhl6gm2kc; path=/; httponly; samesite=lax

Call4:
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly; SameSite=lax
Set-Cookie: PHPSESSID=deleted; expires=Mon, 14-Dec-2020 13:58:53 GMT; Max-Age=0; path=/; httponly; samesite=lax

Call5: 
Set-Cookie: PHPSESSID=t4con28ia2r06rdvebko32roua; path=/; httponly; samesite=lax

And so on.

This is caused by this change: symfony/http-kernel@8983be5#diff-f78b66c251522e67fb27c1dbea2a7e22f210e7d0427f6c5654e87d7a3f54a40c

The following code deletes the session cookie if the session is empty which is the case in this example because it is only read by the flashes twig extension:

   if ($requestSessionCookieId && $session->isEmpty()) {
                $response->headers->clearCookie(
                    $sessionName,
                    $sessionCookiePath,
                    $sessionCookieDomain,
                    $sessionCookieSecure,
                    $sessionCookieHttpOnly,
                    $sessionCookieSameSite
                );
            }

Maybe I'm missing something but this code causes other problems, too: #44609

How to reproduce

  • Setup Symfony project: symfony new test
  • Install twig bundle: composer require symfony/twig-bundle
  • Add route to example project to render base template: 
    #[Route('/')]
public function test() {
  return $this->render('base.html.twig', [
  ]);
}
  • Read flashes in base template: 
    {% for message in app.flashes('notice') %}
             <div class="flash-notice">
                 {{ message }}
             </div>
         {% endfor %}
  • Enable sessions in framework config: 
    session:
        enabled: true
        handler_id: null
        cookie_secure: false
        cookie_samesite: lax
        storage_factory_id: session.storage.factory.native
  • Call the route multiple times

I also created a Docker container to reproduce the problem: https://gist.github.com/johannes85/4ca8c660c7643b01d35aeb0fd43e77fe
Run it like that: docker build . -t symtest && docker run --rm -it symtest

Possible Solution

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.