CODEWITHSUNDEEP
session-cookiessymfonysymfony-2.7
Stphane
Stphane

Reputation: 3476

Symfony set arbitrary data into anonymous visitor session

Using Symfony 3.0.7

Simply said:

I'm unable to set and retrieve arbitrary datas into session for an anonymous user.

In other words ..

I usually retrieve datas from session object, inside any controller with those few lines:

public function dummyAction(Request $request)
{
    # …
    $session = $request->getSession();
    $my_datas = $session->get('my_key');
    # …

Until today this was needed (and worked) on urls that stands behind a firewall configured the standard way, meaning with login and login_check keys along with user providers, etc.

BUT

Now, I need a new firewall to guard a new area: "/api/.+".
This area must be stateless but a special uniq URI "/api/signup" has to allow sessions.
And so I created the following firewalls

firewalls:
    apisignup:
        pattern: api/signup
        anonymous: ~
    api:
        pattern: /api/
        provider: usr
        stateless: true
        lexik_jwt: ~

All I need is to persist a single scalar value (a captcha solution) into session when visitor hits

GET http://192.168.0.5/app_dev.php/en/api/signup

then, on POST to that same url, I need to retrieve the value.

Notes
Currently whether I hit this url through GET or POST the server response always contains a "set-cookie" header, as if the browser simply drops this command and do not pass cookie along on next request.

I tested using the following snippets:

### SERVER SIDE
/**
 * @Route( "/signup", name="api_signup")
 * @Method( {"GET","POST"} )
 */
public function signupAction( Request $request )
{
    $session = $this->get('session');
    if ( $request->isMethod('POST') ) {
        $datas = $request->request->all();
        return new JsonResponse([
            'received' => $datas['captcha']
            ,'captcha' => var_export($session->get('captcha'), true)
        ]);
    }
    $session->set('captcha','foobar');
    return new JsonResponse(['challenge' => 'foobar']);
}

### CLIENT SIDE
$.ajax({
    url:'http://192.168.0.100/app_dev.php/en/api/signup'
    ,method: 'get'
    ,success : function(datas){
        // datas.challenge && $('#captcha').html(datas.challenge) &&
        $.ajax({
            url:'http://192.168.0.100/app_dev.php/en/api/signup'
            ,method: 'post'
            ,data: {
                captcha: 'foobar' // prompt("Captcha ?")
                // ...
            }
        });
    }
});

POST JsonResponse "captcha" value always contains null.

Any Idea of what ("I'm missing" | "could lead to this behaviour") ?
Thank you.

Upvotes: 1

Views: 181

Answers (1)

rAthus
rAthus

Reputation: 894

I bet you are issuing requests from another domain.
In this case remind that CORS require:

  1. Server side, Access-control-allow_credentials header has to be set to true
  2. Client side, withCredentials xhr property has to be set to true

Then, your XHTTP Request will push any available set cookies for that domain with the request. Make sure to set a proper restriction policy in order to lower risks of CSRF

Upvotes: 1

Related Questions