Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to stop Symfony2 sending session cookies for certain paths?

I'm implementing a web service as part of a Symfony2 site that will be accessed using JSONp and iframes from another (static) site. When a user logs in using an iFrame, Safari doesn't keep the session, so I store the session ID in the cookies of the static site using javascript, and pass it back in the GET or POST parameters of requests, which is working fine.

The problem is that on other browsers, the session cookie for the web service is being retained, which means that when the user logs out, they are in fact still logged in to the Symfony site.

Is there a way to, for the web service part of the symfony site only, disable PHP session cookies, preferably in a Symfony2 friendly way (as opposed to, for example, messing with .htaccess)?

I still want a session, but will maintain it by passing a PHPSESSID variable myself in all the requests I make.

like image 455
rjmunro Avatar asked Apr 27 '12 15:04

rjmunro


People also ask

What is Symfony session in PHP?

Symfony sessions are designed to replace several native PHP functions. Applications should avoid using session_start (), session_regenerate_id () , session_id (), session_name (), and session_destroy () and instead use the APIs in the following section.

What is the use of session bag in Symfony?

To help overcome this, Symfony uses session bags linked to the session to encapsulate a specific dataset of attributes or flash messages. This approach also mitigates namespace pollution within the $_SESSION super-global because each bag stores all its data under a unique namespace.

What are session cookies and how do they work?

And each session cookie has a unique session ID. A website uses this ID to authenticate the user and establish a trusted connection. For example, to log in to Facebook, you need to enter your username and password. Next, a session is created with a unique ID. Any requests you make to the Facebook website will be authenticated with this ID.

What is the purpose of the attributebaginterface in Symfony?

This is called internally by Symfony session storage classes to link bag data to the session. Returns the name of the session bag. Clears out data from the bag. The purpose of the bags implementing the AttributeBagInterface is to handle session attribute storage.


1 Answers

This might just be the thing you're looking for. Have stateless firewalls:

In your security.yml

# app/config/security.yml
security:
    firewalls:
        main:
            stateless:  true
like image 164
Reza S Avatar answered Nov 10 '22 06:11

Reza S