Session doesn not work with Symfony

[speller]

No duplicates 🥲.

• I have searched for a similar issue in our bug tracker and didn't find any solutions.

What happened?

Sessions in my Symfony are recreated on every request.

Version (rr --version)

2.12.2

How to reproduce the issue?

Not sure how to reproduce it.

Environment: local HTTP
Symfony version: 6.2.5
baldinof/roadrunner-bundle: 2.2.4

In the \Baldinof\RoadRunnerBundle\Http\KernelHandler::handle() method, the request contains the session id cookie:

But there's no $_COOKIE array

So when Symfony tries to start a session in \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage::start(), it tries to get the session id value from $_COOKIE and gets nothing, creating a new session. How to fix this?

I found only this relevant issue #18 but it's quite old and closed.

Relevant log output

No response

[rustatian]

Hey @speller 👋🏻
There are no superglobals in the RR. HTTP plugin supports PSR-7 standard. To get the cookies, you can use getCookieParams on the RR request.

[rustatian]

I'm not sure as I'm not a PHP developer. Maybe @Baldinof can help more here.

[rustatian]

Converting into a discussion, since this is not a bug.

[speller]

@rustatian I can do whatever I want. But how to make Symfony do this? That's the question. If out-of-the-box Symfony integration doesn't support sessions, this must be mentioned in the documentation.

[rustatian]

Have you tried to use getCookieParams method?

[Baldinof]

Hello, can you dump the content of your .rr.yaml and baldinof_roadrunner.yaml please?

[rustatian]

reload plugin was removed in the v2023.x.x builds btw. It causes several performance drawbacks, especially on macOS.
To disable a plugin you should remove its configuration, so, no way to do that w/o removing the whole section.

[nmeri17]

Doesn't this mean that each code change will result in manually stopping and starting the application server? 😰

[Baldinof]

I don't see what can make the session not working with Symfony.

Are you able to provide a reproducer repository? I would gladely help but I'm not able to reproduce it on a fresh project.

[rustatian]

Doesn't this mean that each code change will result in manually stopping and starting the application server?

@nmeri17 please, read the release notes: https://github.com/roadrunner-server/roadrunner/releases/tag/v2023.1.0

[rustatian]

@speller Have you had a chance to create a reproducible sample/repo?

[nmeri17]

Very very interesting as I struggled with this over the weekend and it actually cost me an assessment I tried building with roadrunner. After much tinkering, it turns out that roadrunner is unable to recognise incoming sessions when there are multiple http workers in use. When reduced to 1, sessions work seamlessly. When increased (I was using 4), the worker that receives the request won't be the one request originated from, and simply send an empty session to the application

Nb: I'm not using symfony but suphle. The superglobals are empty, so this isn't a matter of getCookieParams or psr. So the question now is how to get multiple http workers to share and recognise the same session objects coming in, irrespective of whether they were the ones to serve the outgoing request

[roxblnfk]

There is yet another example. https://github.com/bryanjhv/slim-session

There a session handler is registered and you can use $_SESSION inside pipeline.
PSR request you can get from RoadRunner Http PSR7Worker, not from globals.

[nmeri17]

I have tried the odan package. Same outcome. Below is the updated file; it's basically a wrapper around their package:

namespace Suphle\Adapters\Session;

use Suphle\Contracts\IO\{Session as SessionContract, EnvAccessor};

use Suphle\Services\Decorators\BindsAsSingleton;

use Odan\Session\PhpSession;

#[BindsAsSingleton(SessionContract::class)]
class NativeSession implements SessionContract
{
    protected PhpSession $client;

    public function __construct(EnvAccessor $envAccessor)
    {

        $this->client = new PhpSession([

        	"lifetime" => $envAccessor->getField("SESSION_DURATION")
        ]);

        $this->client->start();
    }

    public function setValue(string $key, $value): void
    {

        $this->client->set($key, $value);
    }

    public function getValue(string $key)
    {

        return $this->client->get($key);
    }

    public function allSessionEntries(): array
    {

        return $this->client->all();
    }

    public function getOldInput(string $key)
    {

        return $this->client->getFlash()->get($key);
    }

    public function setFlashValue(string $key, $value): void
    {

        $this->client->getFlash()->add($key, $value);
    }

    public function hasKey(string $key): bool
    {

        return $this->client->has($key);
    }

    public function hasOldInput(string $key): bool
    {

        return $this->client->getFlash()->has($key);
    }

    public function resetOldInput(): void
    {

        $this->client->getFlash()->clear();
    }

    public function reset(): void
    {

        $this->client->clear();
    }
}

All I'm saying, is it not possible to investigate the reason PHP's native session works perfectly when number of workers is limited to 1? I didn't bother trying out the bryanjhv package since it appears too strongly coupled to the slim framework

[roxblnfk]

Hello @nmeri17. I'm really sure that PHP's native session doesn't work perfectly with any count of workers if there is no any implementation of SessionHandler or request wrapper.
I tried your example and it works the same with any number of workers: $_SESSION stores values through all requests because superglobal. It doesn't work perfectly because it doesn't know where is the true session id.
Did you try to start different sessions in different browser on the same worker? There will be the same session in different browsers.

---

You can use that example to make a dream worker.
There are few hacks that help restart session correctly between few devices.
I spent a couple of hours with this case and I hope it won't go to waste.

while (true) {
    try {
        $request = $psr7->waitRequest();
    } catch (\Throwable $e) {
        $psr7->respond(new Response(400));
        continue;
    }

    // unexisted session id forces generating new session
    session_id($request->getCookieParams()['ssid'] ?? \random_bytes(16));

    // Start session using standard PHP session handler
    session_start([
        'save_path' => __DIR__ . '/sessions', // directory must exist
        'use_cookies' => 0,
        'use_only_cookies' => 1,
        'use_strict_mode' => 1,
    ]);

    try {
        // Your code here
        $_SESSION['counter'] = ($_SESSION['counter'] ?? 0) + 1;
        dump($_SESSION);
    } finally {
        // Get actual session id
        $sessionId = session_id();
        // Write and close session
        session_write_close();
    }

    // Send session id in cookie
    try {
        $psr7->respond(
            (new Response(200, [], "Hello RoadRunner!!!!!!!1111 Session : $sessionId"))->withHeader(
                'Set-Cookie', "ssid={$sessionId}; path=/; HttpOnly"
            )
        );
    } catch (\Throwable $e) {
        $psr7->respond(
            (new Response(500, [], "Something Went Wrong!  Session : $sessionId"))->withHeader(
                'Set-Cookie', "ssid={$sessionId}; path=/; HttpOnly"
            )
        );
        $psr7->getWorker()->error((string)$e);
    }
}

[nmeri17]

Alright, @roxblnfk. I've made some headway, but still can't figure out what I'm doing wrong. First of all, cookie payload is now visible cuz I'm intercepting from the event loop, instead of using a random psr package. And also writing the cookie header. This is the read part. I'm posting it for you to point out whether it's safe to pass it to the superglobal. I imagine it is since this loop changes after each request:

protected function flushHttpResponse(?ServerRequestInterface $newRequest): void
    {

        $_POST = $newRequest->getParsedBody() ?? []; // this is the only way to retrieve payload. Any attempt outside this object sees everything as empty. Using POST instead of passing it all the way down to payloadStorage, since it's the only usage with that requirement; moreover, downward interacts with requestDetail, not payloadStorage

        $_COOKIE = $newRequest->getCookieParams();

        $renderer = $this->getRequestRenderer(
            $newRequest->getRequestTarget(),
            false
        );

        $this->httpWorker->respond(
            $this->getPsrResponse($renderer)
        );
    }

Yesterday, while testing this from NativeSession, I observed that desired content was getting written to the session, but unfortunately wasn't getting picked up after what should be a redirect flow i.e. GET->POST->GET (session data gets lost here). Further debugging has gotten me into the current state I need an extra pair of eyes on. The session file is no longer written to anywhere!

I have checked C:\wamp64\tmp but the sess_cookie-name is not there. I have tried using ini_set, session_save_path and the save_path key, all to no avail. I've restarted the server and my system. Strangely enough, another file gets written to those directories after each request. But since it doesn't bear the name of the cookie sent/supposed session id, it just keeps creating new ones, thereby defeating the aim of data persistence. This is the class now:

namespace Suphle\Adapters\Session;

use Suphle\Contracts\IO\{EnvAccessor, Session as SessionContract};

use Suphle\Services\Decorators\BindsAsSingleton;

#[BindsAsSingleton(SessionContract::class)]
class NativeSession implements SessionContract
{
    public const FLASH_KEY = "_flash_entry",

    DEFAULT_SESSION_KEY = "suphle";

    protected string $sessionId = "";

    public function __construct(protected readonly EnvAccessor $envAccessor)
    {

        $this->safeToStart();
    }

    /**
     * Avoid "session already started" errors. The superglobal must wait for this to be called before it can be accessed. Otherwise, all data from preceding request will be lost
     */
    protected function safeToStart(array $sessionOptions = []): void
    { // redesign this to receive external input instead of being called from the constructor?

        $isSafe = session_status() == PHP_SESSION_NONE // sessions are enabled but none exists

        && !headers_sent();

        if (!$isSafe) return;

        session_id($this->getSessionId());

        session_start(array_merge(["save_path" => __DIR__ . "/sxc", // remove

            /*"use_cookies" => 0,

            "use_only_cookies" => 1,*/

            "use_strict_mode" => 1
        ], $sessionOptions));var_dump($this->getSessionId(), $_SESSION, $_COOKIE);
    }

    protected function getSessionId ():string {

        if (!empty($this->sessionId)) return $this->sessionId;

        return $this->sessionId = $_COOKIE[self::DEFAULT_SESSION_KEY] ??

        session_create_id();
    }

    public function getCookieData ():string {

        return implode("", [
        
            self::DEFAULT_SESSION_KEY. "=". $this->getSessionId(). ";",

            "path=/; HttpOnly;",

            "Max-Age=". $this->envAccessor->getField("SESSION_DURATION"). ";"
        ]);
    }

    public function setValue(string $key, $value): void
    {

        $_SESSION[$key] = $value;

        session_write_close(); // moves data from memory to file and saves
    }

    public function getValue(string $key)
    {

        return $_SESSION[$key];
    }

    public function allSessionEntries(): array
    {

        return $_SESSION;
    }

    public function getOldInput(string $key)
    {

        return $this->getValue(self::FLASH_KEY)[$key];
    }

    public function setFlashValue(string $key, $value): void
    {

        if (!$this->hasKey(self::FLASH_KEY)) {

            $this->resetOldInput();
        }

        $flash = $this->getValue(self::FLASH_KEY);

        $flash[$key] = $value;

        $this->setValue(self::FLASH_KEY, $flash);
    }

    public function hasKey(string $key): bool
    {

        return array_key_exists($key, $_SESSION);
    }

    public function hasOldInput(string $key): bool
    {

        return $this->hasKey(self::FLASH_KEY) &&

        array_key_exists($key, $this->getValue(self::FLASH_KEY));
    }

    public function resetOldInput(): void
    {

        $this->setValue(self::FLASH_KEY, []);
    }

    public function reset(): void
    {

        $_SESSION = [];

        session_destroy();
    }
}

Can you guess who the culprit could be? Where is it manufacturing that weird cookie value from? Mind you, the isSafe block never runs

[roxblnfk]

@nmeri17 i don't have free time to research a lot of code, but if you implement SessionHandler then you will control a session storage. You will decide where and how to load data. Also you will have a chance to resolve possible race conditions and blocks (when few workers load and save the same session).

[speller]

The issue in our case was in the conjunction of the default session fixation strategy and the HTTP Basic authentication. With this type of authentication, every request is a successful login and Symfomy regenerates the session deleting old session data. I was not aware of this and was repeating the request from a debug proxy with the constant sessions id but this id was already invalidated and represented a destroyed session id so the session_start() PHP function didn't restore the session. I didn't dig deep into this issue. Just switched to another type of authentication.