Symfony2 SessionUnavailable Exception

Question

Is there someone who knows the Symfony authentication very well?

Because every time I try to login with a new browser after startup, I get the SessionUnavailable Exception with the text "No session available, it either timed out or cookies are not enabled." Why does it not make a new session when I'm using a new browser after startup?

I dug a little deeper and found one option "require_previous_session" that is set to true in: vendor/symfony/symfony/src/Symfony/Component/Security/HTTP/Firewall/AbstractAuthenticationListener.php, but I don't what to set it to false without knowing what it actually does.

Any tips would be great.

The Security.yml file is quite big because of the role system, but take a look here: Security.yml

Answer 1

The require_previous_session setting is a bit oblique but can (hopefully) be explained with a bit of code.

So ordinarilly, when you set up a standard form login (like the docs), in your security.yml file you set up your firewall with a pattern (say /user) and also set the anonymous option. Now down in your access control you set the login page (say /user/login) to have a role of IS_AUTHENTICATED_ANONYMOUSLY, like so:

firewalls:
    default:
        pattern: ^/user
        anonymous: ~
        form_login:
            login_path: /user/login
            check_path: /user/login_check

access_control:
    - { path: ^/user/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/user, roles: ROLE_USER }

Now, what happens when someone goes to /user is they get forwarded to /user/login; but when they do, they will have a session created for them (if they didn't already) and their assigned role will be anon (you can check this in the Symfony toolbar when on /user/login) as allowed by the access_control section above.

This means whenever someone logs in (i.e. sends credentials to /user/login_check) they will already have a session created for them and require_previous_session will be true.

For most people, this is fine and you won't have to worry about this setting. However, if you start touching the edges of the security component, for instance, creating your own authentication provider, or disabling security (security: false for a specific pattern, see the default dev firewall for an example of this) then you can come up against this problem.

As far as I know, there is no security penalty for not having a session before you log in - I have production sites going where this is the case. However, there is a benefit in that you can then use CSRF tokens (cookbook entry) on the login form for extra security, meaning that attacks on user accounts are a lot harder.

Short version: I wouldn't worry about setting that option if it solves your problem. Depending on your site size there can be a performance gain for doing so (if you can log into your entire site but unauthenticated users don't need a session) but security wise, you should be good.

Edit, example from above with require_previous_session set to false:

firewalls:
    default:
        pattern: ^/user
        anonymous: ~
        form_login:
            login_path: /user/login
            check_path: /user/login_check
            require_previous_session: false