Symfony2 SessionUnavailable Exception Symfony2 SessionUnavailable Exception symfony symfony

Symfony2 SessionUnavailable Exception


php symfony session authentication exception

The require_previous_session setting is a bit oblique but can (hopefully) be explained with a bit of code.

So ordinarilly, when you set up a standard form login (like the docs), in your security.yml file you set up your firewall with a pattern (say /user) and also set the anonymous option. Now down in your access control you set the login page (say /user/login) to have a role of IS_AUTHENTICATED_ANONYMOUSLY, like so:

firewalls:    default:        pattern: ^/user        anonymous: ~        form_login:            login_path: /user/login            check_path: /user/login_checkaccess_control:    - { path: ^/user/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }    - { path: ^/user, roles: ROLE_USER }

Now, what happens when someone goes to /user is they get forwarded to /user/login; but when they do, they will have a session created for them (if they didn't already) and their assigned role will be anon (you can check this in the Symfony toolbar when on /user/login) as allowed by the access_control section above.

This means whenever someone logs in (i.e. sends credentials to /user/login_check) they will already have a session created for them and require_previous_session will be true.

For most people, this is fine and you won't have to worry about this setting. However, if you start touching the edges of the security component, for instance, creating your own authentication provider, or disabling security (security: false for a specific pattern, see the default dev firewall for an example of this) then you can come up against this problem.

As far as I know, there is no security penalty for not having a session before you log in - I have production sites going where this is the case. However, there is a benefit in that you can then use CSRF tokens (cookbook entry) on the login form for extra security, meaning that attacks on user accounts are a lot harder.

Short version: I wouldn't worry about setting that option if it solves your problem. Depending on your site size there can be a performance gain for doing so (if you can log into your entire site but unauthenticated users don't need a session) but security wise, you should be good.

Edit, example from above with require_previous_session set to false:

firewalls:    default:        pattern: ^/user        anonymous: ~        form_login:            login_path: /user/login            check_path: /user/login_check            require_previous_session: false

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last