SessionHandler's responsibility is to persist the session. However, the current implementation goes beyond Session handling and also does what should be cookie authentication.
- Store the
uidas a session attribute upon user login. Let cookie authentication provider use that to load the logged in user.
- Remove authentication code / responsibilities from
- Remove any dependencies of
SessionManagerfrom current user (since session does not have any means to determine whether a request was authenticated via cookie auth or any third-party provider, see also #79).
- Move the cookie authentication provider to the
usermodule, because that's also where the required login/logout functionality is implemented.
This issue fixesand .
Reviews and commit
User interface changes
The current user's uid is introduced as a session attribute.
Beta phase evaluation
|Issue category||Task because this is code refactoring|
|Prioritized changes||This issue reduces fragility of the Drupal 8 session management and authentication systems and improves code. This issue is also a blocker to several other issues.|
Inwe moved our session handler to a class, but its still the same old spaghetti code a la OOP.
- Split the cookie logic to a proxy class and then the storage (database logic) to another.
- Make the the proxy set the cookies through the Response object and not using directly setcookie(), with the help of SessionListener
That way we are close to the Proxy - Handler system of symfony session and will bring us one step closer to