From 99781f869f09799ec70ca770d7f8c5dbcbc35f01 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Dec 2014 18:30:21 +0100 Subject: [PATCH 1/4] Added a short cookbook about avoiding the automatic start of the sessions --- cookbook/session/avoid_session_start.rst | 54 ++++++++++++++++++++++++ cookbook/session/index.rst | 3 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 cookbook/session/avoid_session_start.rst diff --git a/cookbook/session/avoid_session_start.rst b/cookbook/session/avoid_session_start.rst new file mode 100644 index 00000000000..bdb63ed3d40 --- /dev/null +++ b/cookbook/session/avoid_session_start.rst @@ -0,0 +1,54 @@ +.. index:: + single: Sessions, cookies + +Avoid Starting Sessions for Anonymous Users +=========================================== + +Sessions in Symfony applications are automatically started when they are necessary. +This includes writing in the user's session, creating a flash message and logging +in users. In order to start the session, Symfony creates a cookie which will be +sent for every request. + +However, there are other scenarios when a session is started and therefore, a +cookie will be created even for anonymous users. First, consider the following +code commonly used to display flash messages: + +.. code-block:: html+jinja + + {% for flashMessage in app.session.flashbag.get('notice') %} +
+ {{ flashMessage }} +
+ {% endfor %} + +Even if the user is not logged in and even if you haven't created any flash message, +just calling the ``get()`` method of the ``flashbag`` will start a session. This +may hurt your application performance because all users will receive a session +cookie. To avoid this behavior, add a check before trying to access the flash messages: + +.. code-block:: html+jinja + + {% if app.session.started %} + {% for flashMessage in app.session.flashbag.get('notice') %} +
+ {{ flashMessage }} +
+ {% endfor %} + {% endif %} + +Another scenario where session cookies will be automatically sent is when the +requested URL is covered by a firewall, no matter if anonymous users can access +to that URL: + +.. code-block:: yaml + + # app/config/security.yml + security: + firewalls: + main: + pattern: ^/ + form_login: ~ + anonymous: ~ + +This behavior is caused because in Symfony applications, anonymous users are +technically authenticated,. diff --git a/cookbook/session/index.rst b/cookbook/session/index.rst index 536ad02c3d8..0420126b48e 100644 --- a/cookbook/session/index.rst +++ b/cookbook/session/index.rst @@ -7,4 +7,5 @@ Sessions proxy_examples locale_sticky_session sessions_directory - php_bridge \ No newline at end of file + php_bridge + avoid_session_start \ No newline at end of file From 02127792b2df3eb02ad08f23634aa5f1149d7643 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Wed, 17 Dec 2014 12:21:51 +0100 Subject: [PATCH 2/4] Tweaks and rewordings to improve the article --- cookbook/session/avoid_session_start.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cookbook/session/avoid_session_start.rst b/cookbook/session/avoid_session_start.rst index bdb63ed3d40..c826324c30c 100644 --- a/cookbook/session/avoid_session_start.rst +++ b/cookbook/session/avoid_session_start.rst @@ -4,14 +4,14 @@ Avoid Starting Sessions for Anonymous Users =========================================== -Sessions in Symfony applications are automatically started when they are necessary. +Sessions in Symfony applications are automatically started whenever they are necessary. This includes writing in the user's session, creating a flash message and logging in users. In order to start the session, Symfony creates a cookie which will be -sent for every request. +added to every user request. -However, there are other scenarios when a session is started and therefore, a +However, there are other scenarios when a session is started automatically and a cookie will be created even for anonymous users. First, consider the following -code commonly used to display flash messages: +template code commonly used to display flash messages: .. code-block:: html+jinja @@ -37,7 +37,7 @@ cookie. To avoid this behavior, add a check before trying to access the flash me {% endif %} Another scenario where session cookies will be automatically sent is when the -requested URL is covered by a firewall, no matter if anonymous users can access +requested URL is covered by a firewall, even when anonymous users can access to that URL: .. code-block:: yaml @@ -51,4 +51,4 @@ to that URL: anonymous: ~ This behavior is caused because in Symfony applications, anonymous users are -technically authenticated,. +technically authenticated. From 7dd3945c8c143d60e42ca67f353e2ede4dad04b2 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Mon, 22 Dec 2014 12:33:14 +0100 Subject: [PATCH 3/4] Added the new cookbook article to the global map --- cookbook/map.rst.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/cookbook/map.rst.inc b/cookbook/map.rst.inc index 99498b50a7a..49a65cf8462 100644 --- a/cookbook/map.rst.inc +++ b/cookbook/map.rst.inc @@ -166,6 +166,7 @@ * :doc:`/cookbook/session/sessions_directory` * :doc:`/cookbook/session/php_bridge` * (configuration) :doc:`/cookbook/configuration/pdo_session_storage` + * :doc:`/cookbook/session/avoid_session_start` * **symfony1** From bbba47a56c7f94dbb0a9ebe26ae57196a620eeaf Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 5 Feb 2015 14:42:21 +0100 Subject: [PATCH 4/4] Added all sugestions made by reviewers --- cookbook/session/avoid_session_start.rst | 40 +++++++----------------- 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/cookbook/session/avoid_session_start.rst b/cookbook/session/avoid_session_start.rst index c826324c30c..8736f484ad6 100644 --- a/cookbook/session/avoid_session_start.rst +++ b/cookbook/session/avoid_session_start.rst @@ -4,14 +4,14 @@ Avoid Starting Sessions for Anonymous Users =========================================== -Sessions in Symfony applications are automatically started whenever they are necessary. -This includes writing in the user's session, creating a flash message and logging -in users. In order to start the session, Symfony creates a cookie which will be -added to every user request. +Sessions are automatically started whenever you read, write or even check for the +existence of data in the session. This means that if you need to avoid creating +a session cookie for some users, it can be difficult: you must *completely* avoid +accessing the session. -However, there are other scenarios when a session is started automatically and a -cookie will be created even for anonymous users. First, consider the following -template code commonly used to display flash messages: +For example, one common problem in this situation involves checking for flash +messages, which are stored in the session. The following code would guarantee +that a session is *always* started: .. code-block:: html+jinja @@ -22,33 +22,17 @@ template code commonly used to display flash messages: {% endfor %} Even if the user is not logged in and even if you haven't created any flash message, -just calling the ``get()`` method of the ``flashbag`` will start a session. This -may hurt your application performance because all users will receive a session -cookie. To avoid this behavior, add a check before trying to access the flash messages: +just calling the ``get()`` (or even ``has()``) method of the ``flashbag`` will +start a session. This may hurt your application performance because all users will +receive a session cookie. To avoid this behavior, add a check before trying to +access the flash messages: .. code-block:: html+jinja - {% if app.session.started %} + {% if app.request.hasPreviousSession %} {% for flashMessage in app.session.flashbag.get('notice') %}
{{ flashMessage }}
{% endfor %} {% endif %} - -Another scenario where session cookies will be automatically sent is when the -requested URL is covered by a firewall, even when anonymous users can access -to that URL: - -.. code-block:: yaml - - # app/config/security.yml - security: - firewalls: - main: - pattern: ^/ - form_login: ~ - anonymous: ~ - -This behavior is caused because in Symfony applications, anonymous users are -technically authenticated. pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy