symfony

Archived

This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.

History

Robin Chalas 6fef3fb83c feature #33676 [Security] add "anonymous: lazy" mode to firewalls (nicolas-grekas) This PR was merged into the 4.4 branch. Discussion ---------- [Security] add "anonymous: lazy" mode to firewalls \| Q \| A \| ------------- \| --- \| Branch? \| 4.4 \| Bug fix? \| no \| New feature? \| yes \| Deprecations? \| no \| Tickets \| Fixes #26769 et al. \| License \| MIT \| Doc PR \| - Contains #33663 until it is merged. This PR allows defining a firewall as such: ```yaml security: firewalls: main: anonymous: lazy ``` This means that the corresponding area should not start the session / load the user unless the application actively gets access to it. On pages that don't fetch the user at all, this means the session is not started, which means the corresponding token neither is. Lazily, when the user is accessed, e.g. via a call to `is_granted()`, the user is loaded, starting the session if needed. See #27817 for previous explanations on the topic also. Note that thanks to the logic in #33633, this PR doesn't have the drawback spotted in #27817: here, the profiler works as expected. Recipe update pending at https://github.com/symfony/recipes/pull/649 Commits ------- `5cd1d7b4cc` [Security] add "anonymous: lazy" mode to firewalls	2019-09-28 01:05:16 +02:00
..
Symfony	feature #33676 [Security] add "anonymous: lazy" mode to firewalls (nicolas-grekas)	2019-09-28 01:05:16 +02:00

Robin Chalas 6fef3fb83c feature #33676 [Security] add "anonymous: lazy" mode to firewalls (nicolas-grekas)

This PR was merged into the 4.4 branch.

Discussion
----------

[Security] add "anonymous: lazy" mode to firewalls

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | Fixes #26769 et al.
| License       | MIT
| Doc PR        | -

Contains #33663 until it is merged.

This PR allows defining a firewall as such:
```yaml
security:
    firewalls:
        main:
            anonymous: lazy
```

This means that the corresponding area should not start the session / load the user unless the application actively gets access to it. On pages that don't fetch the user at all, this means the session is not started, which means the corresponding token neither is. Lazily, when the user is accessed, e.g. via a call to `is_granted()`, the user is loaded, starting the session if needed.

See #27817 for previous explanations on the topic also.

Note that thanks to the logic in #33633, this PR doesn't have the drawback spotted in #27817: here, the profiler works as expected.

Recipe update pending at https://github.com/symfony/recipes/pull/649

Commits
-------

5cd1d7b4cc [Security] add "anonymous: lazy" mode to firewalls

2019-09-28 01:05:16 +02:00

Symfony feature #33676 [Security] add "anonymous: lazy" mode to firewalls (nicolas-grekas) 2019-09-28 01:05:16 +02:00