Details

      Description

      In eZ Publish 5, the symfony stack will always create a session, even for anonymous users.

      This behavior is different from legacy, where it can be controlled with:

      [Session]
      ForceStart=disabled
      

      When using Varnish, for example, depending on the eZSESSID cookie header can result in the site not being cached.

        Issue Links

          Activity

          Hide
          Joao Inacio (Inactive) added a comment - - edited

          @notes:

          Modifying security configuration does not seem to be supported:

          security:
              firewalls:
                  ezpublish_front:
                      pattern: ^/
                      ezpublish: true
                      security: false
          

          Results in the following error when opening the homepage:

          The security context contains no authentication token. One possible reason may be that there is no firewall configured for this URL.
          500 Internal Server Error - AuthenticationCredentialsNotFoundException

          Show
          Joao Inacio (Inactive) added a comment - - edited @notes: Modifying security configuration does not seem to be supported: security: firewalls: ezpublish_front: pattern: ^/ ezpublish: true security: false Results in the following error when opening the homepage: The security context contains no authentication token. One possible reason may be that there is no firewall configured for this URL. 500 Internal Server Error - AuthenticationCredentialsNotFoundException
          Hide
          Jérôme Vieilledent (Inactive) added a comment -

          Actually Symfony does support lazy sessions, but the way it is implemented with eZ Publish makes it impossible for now (due to technical reasons as the legacy stack still handles login).

          And indeed, doing security: false is not supported at all as it disables the pre-authentication firewall, hence your 500 error.

          To summarize, this known issue will be fixed once login is handled by the whole Symfony stack (should be 5.2 I think).

          Show
          Jérôme Vieilledent (Inactive) added a comment - Actually Symfony does support lazy sessions, but the way it is implemented with eZ Publish makes it impossible for now (due to technical reasons as the legacy stack still handles login). And indeed, doing security: false is not supported at all as it disables the pre-authentication firewall, hence your 500 error. To summarize, this known issue will be fixed once login is handled by the whole Symfony stack (should be 5.2 I think).
          Hide
          André Rømcke added a comment -

          Note: Lazy sessions should be supported as of eZ Publish 5.3 on front-end where login / Authentication was moved to Symfony, but make sure no custom listeners or template code is triggering session start.

          Some examples of things to avoid:

          • Use of Symfony Session object, it's parameter bag or flashbag from PHP code
          • Use of app.session.flashBag in Twig templates
          • Use of eZUser::fetch in legacy w/o checking if Session has started yet

          See EZP-23176

          Show
          André Rømcke added a comment - Note: Lazy sessions should be supported as of eZ Publish 5.3 on front-end where login / Authentication was moved to Symfony, but make sure no custom listeners or template code is triggering session start. Some examples of things to avoid: Use of Symfony Session object, it's parameter bag or flashbag from PHP code Use of app.session.flashBag in Twig templates Use of eZUser::fetch in legacy w/o checking if Session has started yet See EZP-23176

            People

            • Assignee:
              Unassigned
              Reporter:
              Joao Inacio (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: