SessionManager starting a new session with a newly generated session id on every request.
Add test coverage which proves that a session value set in one request can be accessed in a subsequent request when authenticated by the
Review & Commit.
User interface changes
Beta phase evaluation
|Issue priority||Major because it affects the new session and authentication subsystems|
|Unfrozen changes||Unfrozen because it only adds tests.|
There is no way to set a session for an authenticated user by an AuthenticationProvider provided by another module.
Suppose a module provides an AuthenticationProvider which has higher priority than the Cookie AuthenticationProvider. This AuthenticationProvider will be used to authenticate all the requests but will not be able to set a session. The session set by this AuthenticationProvider will be reset by the AuthenticationEnhancer class.
AuthenticationManager::getProvider() checks for permitted AuthenticationProvider, which is by default the AuthenticationProvider with lowest priority i.e. Cookie (infact default auth provider can never be anything other than cookie - more on this later). You can also set permitted AuthenticationProvider by '_auth' key in routing.yml. For any authentication which is not done by a permitted authentication provider, the session is reset to anonymous by this class. The '_auth' key in the route can be set only for some routes. What if I want to use this authentication provider for all the routes?
If any AuthenticationProvider has a higher priority than Cookie, it won't be the default - the default authentication provider is the one with lowest priority. A module's AuthenticationProvider has to have a priority higher than Cookie (because the cookie authentication provider applies on all the requests and an authentication provider with a lower priority will never be used). So, the default authentication provider can never be anything other than Cookie.
This problem can be seen when the basic_auth module is enabled. If a request has basic_auth credentials in its header and the basic_auth module is enabled, you cannot login using the login form in the front page. If basic_auth is enabled and the request has basic auth credentials, the BasicAuth AuthenticationProvider will be used to authenticate the user since it has higher priority than Cookie, and session will not be set.
Allow all AuthenticationProviders to set the session when the '_auth' key is not present.