[symfony/framework-bundle] Enable session support by default #333
Conversation
ghost
deployed
to
|
This can be merged without waiting for symfony/symfony#25699. |
|
Recipes should have default values that fit 80% of the use cases. Looking at 2017 survey Im not sure 80% of the users would like to have a session. |
|
@Nyholm which part of the survey do you link to? |
| #session: | ||
| # # With this config, PHP's native session handling is used | ||
| # handler_id: ~ | ||
| session: |
There was a problem hiding this comment.
I'd add a comment here to explain that it doesn't harm their application's performance.
There was a problem hiding this comment.
And also perhaps a note about how they could remove this to explicitly disable sessions?
There was a problem hiding this comment.
# Enables session support. Note that the session will ONLY be started if you read or write from it.
# Remove or comment this section to explicitly disable session support.
session:There was a problem hiding this comment.
👍 I rudely made a few minor tweaks to your suggestion - hope you don't mind @sroze ;)
There was a problem hiding this comment.
That’s perfect. I’ll survive it 😜
|
Page 3. Okey, fair. |
|
I opened a docs issue for this |
@weaverryan We've switched from session based CSRF protection to the Double Submit Cookie strategy to avoid relying on the session just for CSRF protection. Just FYI, maybe that would be a good addition to SF in a future version 😄 |
…tting response "private" (nicolas-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [HttpKernel] Fix session handling: decouple "save" from setting response "private" | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Fixes #25583 (comment) from @Tobion, and provides extra laziness for the "session" service, related to symfony/recipes#333. (deps=high failure will be fixed by merging to upper branches.) Commits ------- f8727b8 [HttpKernel] Fix session handling: decouple "save" from setting response "private"
…tting response "private" (nicolas-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [HttpKernel] Fix session handling: decouple "save" from setting response "private" | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Fixes symfony/symfony#25583 (comment) from @Tobion, and provides extra laziness for the "session" service, related to symfony/recipes#333. (deps=high failure will be fixed by merging to upper branches.) Commits ------- f8727b8 [HttpKernel] Fix session handling: decouple "save" from setting response "private"
…tting response "private" (nicolas-grekas) This PR was merged into the 3.4 branch. Discussion ---------- [HttpKernel] Fix session handling: decouple "save" from setting response "private" | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Fixes symfony/symfony#25583 (comment) from @Tobion, and provides extra laziness for the "session" service, related to symfony/recipes#333. (deps=high failure will be fixed by merging to upper branches.) Commits ------- f8727b8827 [HttpKernel] Fix session handling: decouple "save" from setting response "private"
Enabling session by default has only one practical downside: some classes/services are loaded but never used. Not a big deal.
STILL, this is something that is going to be fixed on Symfony by symfony/symfony#25699, where the session is made extra-lazy.
Thus, this is my proposal to fix #262.