Problem/Motivation

Drupal implemented much of Symfony's session handling logic in the D8 cycle in #2229145: Register symfony session components in the DIC and inject the session service into the request object. However, Symfony's SessionListener was not [separately?] implemented. I can't find any comments specific to this point, but it appears that perhaps this was omitted because Drupal could just as easily add the session manager to the DIC and provide access to session data, there? Regardless, this isn't much of an issue for most users, except:

I come to this issue from the second avenue, but the problem remains the same - PHP's native session handling is a bit janky and incompatible with alternative servers.

Symfony apps that more directly implement the HttpKernel component received updates in 5.4 which convert the session cookie from being set natively by PHP and lifts it into the response object. Drupal can and should stay closer to the Symfony trunk and in doing so receive this compatibility improvement. Daffie's Swoole module more or less include this change in a patched version of SessionManager, but there's no reason we should have to do so there if we could use Symfony's shipped session listener, instead.

That speaks to the response handling of the Symfony SessionListener; the request side sets the session on the request object. Drupal handles this in middleware. However, the Symfony SessionListener does basically the same thing, including saving the session. See https://git.drupalcode.org/project/drupal/-/blob/9018da4a5b181bc0fa3fbe2...

Steps to reproduce

Witness Drupal not being compatible with Swoole/PHP-PM/etc. or weirdness with session handling as described above.

Proposed resolution

Replace Drupal's bespoke Session stack middleware and implement more native compatibility with CLI invocation by implementing Symfony's SessionListener.

Remaining tasks

User interface changes

None

API changes

Session stack middleware removal.

Data model changes

Release notes snippet

Comments

bradjones1 created an issue. See original summary.

daffie’s picture

daffie commented
Component: system.module » base system

+1 for me. Please lets do this! Getting the sessions to work with Swoole is really hard.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Parent issue: » #2371629: [meta] Finalize Session and User Authentication API

There's meta issue we are working on for years to clean-up session management and this one surely is a part of it

znerol’s picture

znerol commented

SessionManager shouldn't be there at all. Every patch which gets us closer to native Symfony session is very welcome.

Symfony PR 41390 also introduced automated cleanup of cookies for empty sessions. This is one of the features we absolutely wanted to keep when porting session management from Drupal 7.

znerol’s picture

znerol commented

One thing which needs to be considered whether something should be a middleware or an event listener: Stack middleware doesn't mix with events at all. An event listener can have an infinitely high priority, it is always beaten by all the middlewares in the stack.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Related issues: +#3187037: Lost Symfony features cased by missing parent calls in SessionManager
andypost’s picture

andypost
he/him
Primary language Russian
commented
Version: 10.0.x-dev » 11.x-dev

Cookie cleaning since SF 5.6 but the issue was lost

andypost’s picture

andypost
he/him
Primary language Russian
commented

The deprecation of SessionManager could go separate issue

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.