In my case, it was the following use case that triggered the issue:
I have a process of two forms in a dialog, the first is a customized login form, that is submitted, the user is logged in, the session regenerated, then my ajax callback of the submit button is called, where I immediately build a new form and return that to the user.
That works perfect well, but the second form then can't be submitted, because it fails on form token. On those ajax requests, the user does not have a csrf token in the session, despite getting one generated when the form was built.
The reason is that session regenerating somehow re-initializes $_SESSION and detaches it from the symfony session meta bag, so an updated there isn't reflected in the session.
@znerol said in the link above:
Bags are references on $_SESSION['bag_name'], so maybe those references need to be refreshed after the call to session_id. I guess that SessionManager::startNow() is the culprit, because that tries to transfer session data by copying it. Maybe it is enough to call parent::loadSession() after restoring the session data?
User interface changes
Beta phase evaluation
|Issue priority||Critical because it prevents data loss of session data set immediately after login|
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 91,428 pass(es). View
FAILED: [[SimpleTest]]: [PHP 5.4 MySQL] 91,418 pass(es), 1 fail(s), and 0 exception(s). View
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 91,421 pass(es). View