My Symfony2 application replaces my PHPSESSID
cookie when it logs me in. Is this expected behavior? It makes no sense to me... why not just keep the same PHPSESSID
?
Here's a little more detail.
To log in to my application, I must first make a request to a URL that hits my app:
$ telnet myapp 80
GET / HTTP/1.1
Host: myapp
I'm redirected to another URL (/login
) and given a PHPSESSID
cookie. Fine. Then I POST
to /login_check
something like _username=blah&_password=blah
, and whether or not I provide proper credentials, I'm sent a different PHPSESSID
cookie.
Seems like most anything works for this first request, but I must make some request (I can't just POST
to /login_check
and be logged in). Is this expected behavior?
Not sure if it matters, but I'm using FOSUserBundle.
I guess I should mention that none of this matters until I put my application on two webservers behind a load balancer, and tell the load balancer to use stickiness based on PHPSESSID
. As you might imagine, the PHPSESSID
replacement behavior prevents login from working if a client happens to bounce to the other webserver.
Possible duplicate: Symfony2: login does not work on first try after clearing cookies
It is to prevent session fixation. I would advise another cookie then the session one for loadbalancing.
This can be a bug. For symfony2.0 if you try to read something from session or even try to get a session identifier when SessionListener was not invoked yet you will notice that the new session is started with another PHPSESSID.
This also can be related to locale support, here is my issue for this: https://github.com/symfony/symfony/issues/3662
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With