The original issue #7380 was just caused because the developer missed to save the session before doing the redirect. That's all. This reverts #8270 and following.
This PR was squashed before being merged into the 2.3 branch (closes#12293).
Discussion
----------
Remove aligned '=>' and '='
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | [https://github.com/symfony/symfony/issues/12284]
| License | MIT
Could you said to me if i should make an other PR for 2.5 branch.
Commits
-------
51312d3 Remove aligned '=>' and '='
[HttpFoundation] fixed the docs so that it gives some explanation about how you are vulnerable to CSRF when you enable the httpMethodeParameterOverride
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] fixed some volatile tests
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | see #11588
| License | MIT
| Doc PR | n/a
Commits
-------
00c1b75 [Process] fixed some volatile tests
974bf01 [HttpKernel] fixed a volatile test
6020c43 [HttpFoundation] fixed some volatile tests
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
9e1bc22 Add tests and more assertions
101a3b7 [FrameworkBundle][Translator] Validate locales.
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
3b4046e [HttpFoundation] added some missing tests
cefe237 fix parsing of Authorization header
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
1ee96a8 Test examples from Drupal SA-CORE-2014-003
5506ee8 Fix potential DoS when parsing HOST
This PR was squashed before being merged into the 2.3 branch (closes#11510).
Discussion
----------
[HttpFoundation] MongoDbSessionHandler supports auto expiry via configurable expiry_field
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11508
| License | MIT
| Doc PR | no
ToDo
* [x] Fix Tests
Looking for feedback on this early PR.
This adds a config option that disables the PHP GC method call from doing anything,
It also means that the write method sets up the auto expiring index.
Ref: #11508
Commits
-------
b56b740 [HttpFoundation] MongoDbSessionHandler supports auto expiry via configurable expiry_field
This PR was merged into the 2.3 branch.
Discussion
----------
fix some docblocks
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
1775da5 fix some docblocks
This PR was merged into the 2.3 branch.
Discussion
----------
[Tests] don't disable constructor calls to mockups of classes that extend intern...
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Fixes the tests for the 2.3 branch as reported by @stof in #11176.
Commits
-------
2c726b8 don't disable constructor calls to mockups of classes that extend internal PHP classes
See [PSR-2](http://www.php-fig.org/psr/psr-2/) paragraph 5.2
> There MUST be a comment such as `// no break` when fall-through is intentional in a non-empty case body.
Related to #11181
Request#getUser() and Request#getPassword() introduced in
aecfd0a891 do not handle the lack of
PHP_AUTH_USER and PHP_AUTH_PW in $this->server when using PHP-FPM. Use
$this->headers instead.
Furthermore, the test of empty password now expects an empty string
instead of NULL according to a450d002f2.
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] smaller fixes for PdoSessionHandler
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #10652
| License | MIT
For both the PdoSessionHandler and DbalSessionHandler
- https://github.com/symfony/symfony/pull/10652#issuecomment-42370425: Transactional DELETE + INSERT does not work as expected
- https://github.com/symfony/symfony/pull/10652#issuecomment-44359784: sqlsrv 2005 does not support the MERGE SQL, and if used it requires an HOLDLOCK
- missing time update for sqlsrv and oracle
Commits
-------
a0e1d4d [Doctrine Bridge] fix DBAL session handler according to PdoSessionHandler
00d707f [HttpFoundation] use different approach for duplicate keys in postgres, fix merge for sqlsrv and oracle
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] implement session locking for PDO
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #4976 for PDO
| License | MIT
This is probably the first Session Handler for databases that actually works with locking. I've seen many implementations of session handlers (mostly only for one database vendor) while researching and none used locking. Not even the [PHPs SQLite session handler](https://github.com/php/php-src/blob/PHP-5.3/ext/sqlite/sess_sqlite.c) or [PECL Postgres Handler](http://svn.php.net/viewvc/pecl/session_pgsql/trunk/session_pgsql.c?revision=326806&view=markup) implemented locking correctly which is probably the reason why they have been discontinued. [Zend Session](https://github.com/zendframework/zf2/blob/master/library/Zend/Session/SaveHandler/DbTableGateway.php) seems not to use locking either. But it saves the lifetime together with the session which seems like a good idea because you could have different lifetimes for different sessions.
- Implements session locking for MySQL, Postgres, Oracle, SQL Server and SQLite.
Only tested it for MySQL. So would be good if someone can confirm it works as intended on the other databases as well.
- Also removed the custom RuntimeException which is not useful and a PDOException extends RuntimeException anyway, so no BC break.
- I added a default for the table name to be in line with the DoctrineSessionHandler.
- Check session.gc_maxlifetime in read(). Imagine we have only ever one user on an app. If maxlifetime is not checked in read, his session would never expire! What I don't get is why PHP calls gc() after read() instead of calling it before... Strange decision. For this reason I also had to do the following to improve performance.
- I delay gc() to close() so that it is executed outside the transactional and blocking read-write process. This way, pruning expired sessions does not block them from being started while the current session is used.
- Fixed time update for Oracle and SQL Server.
Commits
-------
50ec828 [HttpFoundation] implement session locking for PDO
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] Fix DbalSessionHandler
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
This is basically the same as #10652 for the DbalSessionHandler.
- First commit fixes fix DbalSessionHandler for high concurrency, interface compliance, compatibility with all drivers (oci8, mysqli, pdo with mysql, sqlsrv, sqlite).
- Second commit updates phpdoc of SessionHandlerInterface and unifies parameters of all handlers according to interface (so inheritdoc actually makes sense).
Commits
-------
524bf84 [HttpFoundation] update phpdoc of SessionHandlerInterface and unify parameters of all handlers according to interface
ccdfbe6 [Doctrine Bridge] fix DbalSessionHandler for high concurrency, interface compliance, compatibility with all drivers (oci8, mysqli, pdo with mysql, sqlsrv, sqlite)
This PR was merged into the 2.3 branch.
Discussion
----------
unified return null usages
| Q | A
| ------------- | ---
| License | MIT
This PR unifies the way we return `null` from a function or method:
* always use `return;` instead of `return null;` (the current code base uses both);
* never use `return;` at the end of a function/method.
Commits
-------
d1d569b unified return null usages
This PR was merged into the 2.3 branch.
Discussion
----------
made {@inheritdoc} annotations consistent across the board
| Q | A
| ------------- | ---
| License | MIT
Commits
-------
810b9ed made {@inheritdoc} annotations consistent across the board
This PR was merged into the 2.3 branch.
Discussion
----------
Made types used by Symfony compatible with the ones of Hack
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
PHP supports several ways to express types: like Boolean/bool or integer/int. Hack only supports one of them, so this PR proposes to use the Hack type to make Symfony a bit more "compatible" with Hack (gradual upgrade ;)).
Commits
-------
3c9c10f made phpdoc types consistent with those defined in Hack
0555b7f made types consistent with those defined in Hack
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] fix PDO session handler under high concurrency
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #8448 and http://trac.symfony-project.org/ticket/4777 (which was never really fixed as you can see here)
| License | MIT
- The first commit fixes PDO session handler under high concurrency.
- The second commit uses MERGE SQL for MS SQL Server. Tested with http://sqlfiddle.com/#!6/66b6d/14
- The third commit uses INSERT OR REPLACE for sqlite session handler http://sqlfiddle.com/#!7/e6707/3
What I find rather bad with the class design is that it depends on the table definition, but it's not part of the class. Also it doesn't make use of open() and close() which could be used to make the database connection lazy instead of having is open all the time when not needed. Doctrine also only lazy connects, but we use PDO directly here.
Furthermore, the session handlers should not throw exceptions, from what I read, but return false when an error occurs. This is not followed in this class. Maybe @drak knows how php session management behaves when the session handlers return false?
Commits
-------
5c08e29 [HttpFoundation] use insert or replace for sqlite session handler
05ea19a [HttpFoundation] use MERGE SQL for MS SQL Server session storage
e58d7cf [HttpFoundation] fix PDO session handler under high concurrency
This PR was merged into the 2.3 branch.
Discussion
----------
removed unneeded use statements
| Q | A
| ------------- | ---
| License | MIT
Commits
-------
7f9a366 removed unneeded use statements
* 2.2:
Teardown used wrong property
Modified guessDefaultEscapingStrategy to not escape txt templates
Fix DateType for 32bits computers.
Fixed the registration of validation.xml file when the form is disabled
When getting the session's id, check if the session is not closed
This introduced a regression from #9246, with an incomplete fix ;
As the `started` flag on the NativeSessionStorage was not `true`
anymore when saving the session, the session id was always empty
when saving it, and thus when sending the `PHPSESSID` cookie