How does Symfony2 session fixation work? How does Symfony2 session fixation work? symfony symfony

How does Symfony2 session fixation work?


security symfony

In short:

  • NONE: the session is not changed
  • MIGRATE: the session id is updated, attributes are kept
  • INVALIDATE: the session id is updated, attributes are lost

In detail:

  1. None strategy: Nothing is (supposed to be) done in the default session implementation, thus the session is maintained from one context to the other.

  2. Migrate strategy: "Migrates the current session to a new session id while maintaining all session attributes."(The session storage should regenerate the current session.) "Regenerates id that represents this storage.This method must invoke session_regenerate_id($destroy) unless this interface is used for a storage object designed for unit or functional testing where a real PHP session would interfere with testing. Note regenerate+destroy should not clear the session data in memory only delete the session data from persistent storage."Thus the session is retained from one context to the other.

  3. Invalidate strategy: "Clears all session attributes and flashes and regenerates the session and deletes the old session from persistence."Thus the session is regenerated from one context to the other.

It was not revealed by your question what kind of session data you are trying to fetch.
But in any case, no separate session is generated for different security contexts:http://symfony.com/doc/current/reference/configuration/security.html#firewall-context

Security (authentication) related data is stored under a separate key (based on the firewall name). So for example if you have a firewall with a name 'main', the authentication token will be stored under '_security_main', if you have a firewall (a separate context) with a name 'foo', the user and related token data will be stored under '_security_foo', etc.

So besides ->getToken ->getUser (etc.) the rest of the session variables will be available in different contexts provided you use the 'none' or the 'migrate' session strategies.

Take a look at the session interface for details (quotes are from these files)vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/SessionInterface.php

And the default implementation: vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/Session.php

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last