Session handling is incompatible with stateless routes introducted with Symfony 6.3
cbcf opened this issue · comments
Symptom:
Accessing the routing data route (fos_js_routing_js
) logs a warning ("Session was used while the request was declared stateless.").
In debug mode (i.e. the default dev environment) it causes an UnexpectedSessionUsageException
with the same message.
Condition:
The route - and hence the request - is stateless, either set indirectly by a stateless firewall or in the route definition itself.
Background:
Symfony introduced statless routes in version 6.3.
Initially added in #26, the \FOS\JsRoutingBundle\Controller\Controller::indexAction
tries to access the session to extend the lifetime of auto-expiring flash messages. This PR references the associated handling in the Symfony web debug toolbar (WDT).
Suggested Fix:
The main repository adjusted the WDT code to accomodate stateless routes in symfony/symfony#50218. I will submit a PR with the same updates to the code.
We should assume this to become the default use case, since the router data is cacheable for most applications.
If this issue is fixed, I suggest adding the stateless attribute to the symfony flex recipe for symfony 5.4 and 6.3+ versions.