-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello mauricio,
i found no bullet proof thing to control it in general. however, i realized that i had framework.session.auto_start: true in my config.yml i set this to false and now i only get a session if one is started for some specific reason (i.e. csrf in forms needs a session - and does not kill it after the form has been successfully submitted) to be perfectionist, you could try to add some code to remove session cookies when they are present but user is not logged in and there is no reason for a session. but i think its pretty hard to know for sure, you would need to check all components involved in your request... not sure if symfony2 might have some clever way to handle this situation. i just worked my way around it by configuring varnish to ignore cookies for pages that do not differ on logged-in-status. hope this helps, cheers,david > Hey David, > > I was just looking at your post because I'm kind of facing the same > issue, I want to avoid sending session cookies for users that are not > logged in. I wonder whether you managed to solve it, did you? > > Cheers!, > Mauricio. > Am 19.03.2011 11:56, schrieb David Buchmann: > hello, > > i try to set up varnish in front of our symfony2 application and have a > few questions that seem not to be covered by the documentation [1] [2] [3] > > we use form authentication with native sessions and the remember me > feature active. > > 1. can i tell symfony2 to not start a session unless the user wants to > log in? thus have no session cookie except for logged in users? this > would tremendously help with the varnish setup. > > 2. the session cookie has a lifetime of 1 hour. it is not refreshed on > each request (i see no Set-Cookie: header in responses for a logged in > user). how is the session kept alive? or does the user lose his session > after that hour even if he is constantly active on the site, and then > remember me triggers him to be logged back in? > not sure is this is really a symfony question, but i found no > information on the topic at php.net either, except for some people > re-sending the cookie on each request - which i do not want to work > around symfony2 to do it. and it would be bad for caching. > > > my current idea is: > make the part that is session specific an esi include that varies on > cookies and has a lifetime matching the expected age of the session. if > the client loses his cookie, he sees immediately that he is no longer > logged in (resp. rememberme can trigger and log him back in). > does this make sense? > > > if the docs + cookbook are on github, i could send some pull request > afterwards with the result of this discussion integreated... > > cheers,david > > > [1] http://symfony.com/doc/2.0/book/security/authentication.html > [2] http://symfony.com/doc/2.0/book/http_cache.html > [3] http://symfony.com/doc/2.0/cookbook/cache/varnish.html - -- Liip AG // Agile Web Development // T +41 26 422 25 11 CH-1700 Fribourg // PGP 0xA581808B // www.liip.ch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk21UeIACgkQqBnXnqWBgIvuzACfeV8ymEJhvrK1zVU77NbKJd+V uP0An3xLEp6kbsoqgZUc4r/HuQtGGyga =DQjU -----END PGP SIGNATURE----- -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en
