I'm implementing a web service as part of a Symfony2 site that will be accessed using JSONp and iframes from another (static) site. When a user logs in using an iFrame, Safari doesn't keep the session, so I store the session ID in the cookies of the static site using javascript, and pass it back in the GET or POST parameters of requests, which is working fine.
The problem is that on other browsers, the session cookie for the web service is being retained, which means that when the user logs out, they are in fact still logged in to the Symfony site.
Is there a way to, for the web service part of the symfony site only, disable PHP session cookies, preferably in a Symfony2 friendly way (as opposed to, for example, messing with .htaccess)?
I still want a session, but will maintain it by passing a PHPSESSID variable myself in all the requests I make.
Symfony sessions are designed to replace several native PHP functions. Applications should avoid using session_start (), session_regenerate_id () , session_id (), session_name (), and session_destroy () and instead use the APIs in the following section.
To help overcome this, Symfony uses session bags linked to the session to encapsulate a specific dataset of attributes or flash messages. This approach also mitigates namespace pollution within the $_SESSION super-global because each bag stores all its data under a unique namespace.
And each session cookie has a unique session ID. A website uses this ID to authenticate the user and establish a trusted connection. For example, to log in to Facebook, you need to enter your username and password. Next, a session is created with a unique ID. Any requests you make to the Facebook website will be authenticated with this ID.
This is called internally by Symfony session storage classes to link bag data to the session. Returns the name of the session bag. Clears out data from the bag. The purpose of the bags implementing the AttributeBagInterface is to handle session attribute storage.
This might just be the thing you're looking for. Have stateless firewalls:
In your security.yml
# app/config/security.yml
security:
firewalls:
main:
stateless: true
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With