-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
Closed
Description
Symfony version(s) affected
5.4.0
Description
If i choose to use php.ini (or NativeSessionStorage class) to configure the session.cookie_* settings, the AbstractSessionListener doesn't use them (possibly after refactoring on #41390) as expected, but i'm forced to set them on framework.yaml configuration.
On symfony/http-kernel 5.3 this works as expected
How to reproduce
- as an example we use session.cookie_path, but this should work for any session.cookie_* setting
- configure session.cookie_path on your php.ini
- do NOT configure cookie_path on your framework.yaml
- start a session via Symfony SessionListener
- session cookie uses symfony default setting for cookie_path (which is "/") and not (as expected) the setting from php.ini
Possible Solution
- get setting from php.ini on AbstratSessionListener->onKernelResponse function https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L143
- use this setting, if $this->sessionOptions['cookie_path'] is not set, before using default value
Additional Context
additionally the session.cookie_secure=auto setting doesn't work anymore as expected, because the Cookie::create expects a boolean value for $secure parameter... so now, it's always true. :-(
https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php#L171