Thanks David... I'll check it out and I'll post if I found a clever workaround for this. Peace...
On Mon, Apr 25, 2011 at 12:50 PM, David Buchmann <david.buchm...@liip.ch>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hello mauricio, > > i found no bullet proof thing to control it in general. however, i > realized that i had framework.session.auto_start: true in my config.yml > i set this to false and now i only get a session if one is started for > some specific reason (i.e. csrf in forms needs a session - and does not > kill it after the form has been successfully submitted) > > to be perfectionist, you could try to add some code to remove session > cookies when they are present but user is not logged in and there is no > reason for a session. but i think its pretty hard to know for sure, you > would need to check all components involved in your request... > > not sure if symfony2 might have some clever way to handle this situation. > > i just worked my way around it by configuring varnish to ignore cookies > for pages that do not differ on logged-in-status. > > hope this helps, > cheers,david > > > > Hey David, > > > > I was just looking at your post because I'm kind of facing the same > > issue, I want to avoid sending session cookies for users that are not > > logged in. I wonder whether you managed to solve it, did you? > > > > Cheers!, > > Mauricio. > > > > Am 19.03.2011 11:56, schrieb David Buchmann: > > hello, > > > > i try to set up varnish in front of our symfony2 application and have a > > few questions that seem not to be covered by the documentation [1] [2] > [3] > > > > we use form authentication with native sessions and the remember me > > feature active. > > > > 1. can i tell symfony2 to not start a session unless the user wants to > > log in? thus have no session cookie except for logged in users? this > > would tremendously help with the varnish setup. > > > > 2. the session cookie has a lifetime of 1 hour. it is not refreshed on > > each request (i see no Set-Cookie: header in responses for a logged in > > user). how is the session kept alive? or does the user lose his session > > after that hour even if he is constantly active on the site, and then > > remember me triggers him to be logged back in? > > not sure is this is really a symfony question, but i found no > > information on the topic at php.net either, except for some people > > re-sending the cookie on each request - which i do not want to work > > around symfony2 to do it. and it would be bad for caching. > > > > > > my current idea is: > > make the part that is session specific an esi include that varies on > > cookies and has a lifetime matching the expected age of the session. if > > the client loses his cookie, he sees immediately that he is no longer > > logged in (resp. rememberme can trigger and log him back in). > > does this make sense? > > > > > > if the docs + cookbook are on github, i could send some pull request > > afterwards with the result of this discussion integreated... > > > > cheers,david > > > > > > [1] http://symfony.com/doc/2.0/book/security/authentication.html > > [2] http://symfony.com/doc/2.0/book/http_cache.html > > [3] http://symfony.com/doc/2.0/cookbook/cache/varnish.html > > - -- > Liip AG // Agile Web Development // T +41 26 422 25 11 > CH-1700 Fribourg // PGP 0xA581808B // www.liip.ch > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk21UeIACgkQqBnXnqWBgIvuzACfeV8ymEJhvrK1zVU77NbKJd+V > uP0An3xLEp6kbsoqgZUc4r/HuQtGGyga > =DQjU > -----END PGP SIGNATURE----- > -- Mauricio. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en