-
-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What to do if a bundle (recipe) needs session? #262
Comments
I've been thinking a lot about this too. It's a real outlier: one of the few critical services that is activated by uncommenting config, versus installing a package. But, it's more than that: 3rd-party bundles (I'm working on FOSUserBundle right now) have no easy way to detect if the session is missing: there is no I can think of 3 solutions: A) Do nothing: use compiler passes when necessary to throw a clear exception if your bundle needs the session. B) Create a fake C) As a follow-up to B, move the session logic into its own package so that it works a bit like the other pieces (e.g. translator, serializer, etc). Thoughts? |
@weaverryan So, if a new recipe requires framework:
assets: ~
form: ~
session: ~ |
Some people in the community have been asking to make a new Session component since 2014:
|
@weaverryan as @covex-nn mentioned it's a wider problem not only related to "activate session" in the framework. All solutions A to C seems just to be workarounds. C) is a good idea, but actually not related to this issue. Moving What about a new possibility to set config other than just copy your
During @covex-nn is this actually working to add a |
This could be nice, but the problem is that we then have to find a BC layer for current session from HttpFoundation. I think the best idea is to make sub-splits of HttpFoundation like |
@scuben my suggestion was to activate session inside new |
@covex-nn yes, but that would lead to a config key in many |
Yeah, the problem is that many packages need the session 😕 |
@scuben @Pierstoval if many packages needs session, then there will be many... framework:
session: ~ ... and there will be only one service, configured by default. I created new project with
So, no problem here |
But what if the config value is not just on/off? Like in this example (yeah, not a good example. but one gets it):
versus
Which one should be used? I think it should be the customers choice during flex installation. |
I'm not sure having the same config in tons of files is the best option. If we start today with session, I'm afraid other components will be activated this way and if we want to deactivate one, we'll need to disable it in several files, it's probably gonna be a PITA to debug... 😕 |
See proposal at symfony/symfony#25508 |
@nicolas-grekas session was not enabled for |
My proposal just changes the default value. So yes, you can change it: just set it and overwrite the default. |
What about creating a session.yaml file, that would contain the session enabling lines? |
Then it would have to be kinda "standard": by default, |
What if session will be activated by default, but it will use some Also there could be a comment in framework:
# to activate session do this and that
# or remove session block if you do not want to use session at all
session:
storage_id: session.storage.null
handler_id: session.handler.null |
Just like in #258 I'm running into the same issue with the security config. An option to merge/update framework and/or security entries would be very helpful. |
I like the session.yaml idea. But to accomplish this, would every bundle that needs a session need to duplicate this in their recipe? There is also session config needed for the test environment (currently done in config/packages/test/framework.yaml, and you need to know to also uncomment it there). If we had a session component, this would be much easier (give it a recipe, and other packages depend on it). But we don’t... |
Just asking: would creating a Session component be a huge task? We wouldn't start from scratch. It could be doable pretty quickly ... if we really want to do that. |
If for some reason Session must be a part of
|
What's the downside of always enabling the session? Looks the most sensible to me for now, isn't it? |
Proposed fix in #333 |
…sion* are loaded (nicolas-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony/recipes#262 | License | MIT | Doc PR | - By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf". Yes, that's a side effect, but I think that's a nice one for 3.4/4.0. Of course, we might do better in 4.1, but for bug fix only releases, LGTM. Commits ------- 9e8231f [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
…sion* are loaded (nicolas-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony/recipes#262 | License | MIT | Doc PR | - By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf". Yes, that's a side effect, but I think that's a nice one for 3.4/4.0. Of course, we might do better in 4.1, but for bug fix only releases, LGTM. Commits ------- 9e8231f [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
The defaults in framework uncomments the session and thus the session service is not being created. But what can one do if a bundle (recipe) needs the session to be available?
The text was updated successfully, but these errors were encountered: