Request hasPreviousSession and Cookie Session Handler about nelmiosecuritybundle HOT 12 CLOSED

I am wondering if it's a change in symfony that broke the functionality or if I am missing some mistake you did in configuring it.. Could you paste your nelmio_security config block?

from nelmiosecuritybundle.

framework:
  session:
    name: session
    cookie_path: /foo/
    cookie_httponly: true
    cookie_secure: true
    handler_id: nelmio_security.session.handler

nelmio_security:
  cookie_session:
    enabled: true
    name: session     # the docs says to use cookie_name, but it doesn't actually exist
    path: /foo/
    secure: true

  signed_cookie:
    names: ['*']

  encrypted_cookie:
   names: ['*']

from nelmiosecuritybundle.

Sorry for not getting back to you but I think what might be wrong is that you set

name: session
cookie_path: /foo/
cookie_httponly: true
cookie_secure: true

In the framework.session config. I think you shouldn't and that it might be interfering and you end up with twice the same cookie name, but maybe I'm wrong.

Or did you figure it out?

Aside from that thanks for spotting the docs mistake, I fixed that at least.

from nelmiosecuritybundle.

I removed those configuration lines in framework.session but I end up getting "Your session has timed out, or you have disabled cookies."

When I look in the network inspector for Chrome, I can see the cookies being set in the response, and then sent back in the request, but it seems like the framework doesn't pick it up unless I set framework.session.name.

from nelmiosecuritybundle.

I'm having exactly the same problem (sf 2.5).
It looks like since the native session cookie (PHPSESSID) is being removed by EncryptedCookieListener and SignedCookieListener.

The mayor problem is that the session cookie PHPSESSID is not put into the response so EncryptedCookieListener and SignedCookieListener can't do there magic on those cookies. A simple check like elseif (!ini_get('session.use_cookies') || $name !== session_name()) instead of else within the onKernelRequest would fix the problem but i'm not sure that is the correct way to fix this.

My config:

framework:
  session:
    storage_id: session.storage.native
    handler_id: session.handler.native_file
# Security
nelmio_security:
  # signs/verifies all cookies
  signed_cookie:
    names: ['*']
    secret: %cookie_secret%
    hash_algo: sha512
  # encrypt all cookies
  encrypted_cookie:
    names: ['*']
    secret: %cookie_secret%
    algorithm: rijndael-256
  # prevents framing of the entire site
  clickjacking:
    paths:
      '^/.*': DENY

from nelmiosecuritybundle.

👍 simply does not work at all with symfony 2.7
I just can not log in if encrypter/singer is enabled.. Debugged and ended up with the same result - cookies are removed from request, and onKernelResponse simply not getting called.
We use Redis to store our sessions.

from nelmiosecuritybundle.

Symfony 2.7 here. Same use case as rodush.

from nelmiosecuritybundle.

Run into the same problem 😞

from nelmiosecuritybundle.

same problem. symfony 3.

from nelmiosecuritybundle.

Think we're hitting the same problem in Symfony 3 (using signed_cookie).

Edit: recreated locally in my browser, but our tests don't see the problem (tried both Goutte and a real browser using Selenium).

Edit 2: SignedCookieListener::onKernelResponse() doesn't see the cookie being set, so doesn't get signed. SignedCookieListener::onKernelRequest() then always fails to check the cookie.

from nelmiosecuritybundle.

Is there any progress or some knowledge about a workaround for this issue? We are experiencing the same issue in a symfony 3.4 project.

from nelmiosecuritybundle.

Closing the issue since SessionCookieHandler and EncryptedCookieListener have been removed in 3.0, feel free to open a new issue if the problem persists.

from nelmiosecuritybundle.