Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork5.2k
[HttpFoundation] Clarify behavior of session access via RequestStack to avoid auto-starting sessions#20891
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
…to avoid auto-starting sessionsSymfony documentation states that sessions are automatically started when accessed (read/write/check), and recommends avoiding session access for anonymous users to prevent unnecessary session cookies.However, obtaining the session via `Request::getSession()` or `RequestStack::getSession()` may throw a `SessionNotFoundException` if no session has been started yet — contradicting the suggestion to simply "avoid accessing the session".This PR adds clarification/code handling to:- Prevent unintended session creation when checking for session presence- Avoid potential exceptions when attempting to retrieve a session too early- Align with Symfony's performance recommendation for anonymous usersI might be misunderstanding the intended behavior, so if that's the case, I apologize and will happily close this PR. Just wanted to raise the concern in case it helps improve clarity.
nicolas-grekas commentedMay 28, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
When does this exception happen in your case? To me, once sessions are properly enabled, the text is correct. |
You're absolutely right, that was my mistake. I really appreciate you taking the time to point it out and explain things clearly. I'll go ahead and close the PR. |
Uh oh!
There was an error while loading.Please reload this page.
Symfony’s documentation states that sessions are automatically started when they are accessed (read, written, or even just checked), and it recommends avoiding session access for anonymous users to prevent unnecessary session cookies.
However, calling
Request::getSession()orRequestStack::getSession()can throw aSessionNotFoundExceptionif the session has not yet been started. This behavior contradicts the suggestion to "simply avoid accessing the session," since accessing it directly may cause an exception rather than just lazily starting the session as in previous versions where the session was injected viaSessionInterface.For this reason, I believe it makes sense to remove the following line from the documentation:
"Sessions are automatically started whenever you read, write or even check for the existence of data in the session. This may hurt your application performance because all users will receive a session cookie. In order to prevent starting sessions for anonymous users, you must completely avoid accessing the session."
This guidance may no longer reflect the actual behavior, where trying to access a session that doesn't exist now results in an exception, not an automatic creation.
It’s possible that I’m misunderstanding the intended behavior. If that’s the case, I apologize and will be happy to close this pull request. I just wanted to raise the concern in case it helps clarify the documentation.