Is there someone who knows the Symfony authentication very well?
Because every time I try to login with a new browser after startup, I get the SessionUnavailable Exception with the text "No session available, it either timed out or cookies are not enabled." Why does it not make a new session when I'm using a new browser after startup?
I dug a little deeper and found one option "require_previous_session" that is set to true in: vendor/symfony/symfony/src/Symfony/Component/Security/HTTP/Firewall/AbstractAuthenticationListener.php, but I don't what to set it to false without knowing what it actually does.
Any tips would be great.
The Security.yml file is quite big because of the role system, but take a look here: Security.yml
The events are a stream of data (served with the text/event-stream MIME type) with the following format: data: This is the first message. data: This is the second message, it data: has two lines. data: This is the third message. Symfony's HTTP client provides an EventSource implementation to consume these server-sent events.
Its entry point is the HttpClientInterface. That's the interface you need to code against when a client is needed: use Symfony\Contracts\HttpClient\HttpClientInterface; class MyApiLayer { private $client; public function __construct(HttpClientInterface $client) { $this->client = $client; } // [...] }
Sometimes, requests fail because of network issues or temporary server errors. Symfony's HttpClient allows to retry failed requests automatically using the retry_failed option.
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license. ↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.
The require_previous_session
setting is a bit oblique but can (hopefully) be explained with a bit of code.
So ordinarilly, when you set up a standard form login (like the docs), in your security.yml file you set up your firewall with a pattern (say /user
) and also set the anonymous
option. Now down in your access control you set the login page (say /user/login
) to have a role of IS_AUTHENTICATED_ANONYMOUSLY
, like so:
firewalls:
default:
pattern: ^/user
anonymous: ~
form_login:
login_path: /user/login
check_path: /user/login_check
access_control:
- { path: ^/user/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user, roles: ROLE_USER }
Now, what happens when someone goes to /user
is they get forwarded to /user/login
; but when they do, they will have a session created for them (if they didn't already) and their assigned role will be anon
(you can check this in the Symfony toolbar when on /user/login
) as allowed by the access_control
section above.
This means whenever someone logs in (i.e. sends credentials to /user/login_check
) they will already have a session created for them and require_previous_session
will be true.
For most people, this is fine and you won't have to worry about this setting. However, if you start touching the edges of the security component, for instance, creating your own authentication provider, or disabling security (security: false
for a specific pattern, see the default dev
firewall for an example of this) then you can come up against this problem.
As far as I know, there is no security penalty for not having a session before you log in - I have production sites going where this is the case. However, there is a benefit in that you can then use CSRF tokens (cookbook entry) on the login form for extra security, meaning that attacks on user accounts are a lot harder.
Short version: I wouldn't worry about setting that option if it solves your problem. Depending on your site size there can be a performance gain for doing so (if you can log into your entire site but unauthenticated users don't need a session) but security wise, you should be good.
Edit, example from above with require_previous_session
set to false:
firewalls:
default:
pattern: ^/user
anonymous: ~
form_login:
login_path: /user/login
check_path: /user/login_check
require_previous_session: false
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With