Skip to content

WEBAPI: PHP session is always started 2.1.2 #7213

New issue
New issue
Closed
#26032
Closed
WEBAPI: PHP session is always started 2.1.2#7213
#26032
Assignees
maqlec
Labels
Component: Framework/WebapiUSE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog WEB API use just CatalogFixed in 2.4.xThe issue has been fixed in 2.4-develop branchIssue: Clear DescriptionGate 2 Passed. Manual verification of the issue description passedIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedIssue: Format is validGate 1 Passed. Automatic verification of issue format passedIssue: Ready for WorkGate 4. Acknowledged. Issue is added to backlog and ready for developmentPriority: P2A defect with this priority could have functionality issues which are not to expectations.Reproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branchSeverity: S3Affects non-critical data or functionality and does not force users to employ a workaround.bug report
@boldhedgehog

Description

@boldhedgehog
boldhedgehog
opened on Oct 27, 2016

Although REST API should be stateless for anonymous calls, PHP session is always created. This is caused by the fact that session_start() is called implicitly from '\Magento\Framework\Session\SessionManager' constructor.

There are 2 issues with this: Spammed PHP session which will never be used, if remote address validation is enabled for sessions, clients with dynamic IP address will get 302 redirect instead of REST API result, and this is undesirable.

Preconditions

  1. Magento 2.4-develop

Steps to reproduce

  1. Make a REST request, for example from Swagger UI, but it can be a request from any client. For example, call /V1/directory/countries

Expected result

  1. Received JSON response with countries;
  2. No PHP session is started;
  3. No PHPSESSID in the response cookies.

Actual result

  1. PHP session is started and is perhaps never used (because the request is anonymous)

Why?

The reason for this is that in di.xml \Magento\Authorization\Model\CompositeUserContext is fed with userContexts argument, and at least 2 of them will start PHP session: customerSessionUserContext and adminSessionUserContext.

How to fix

My PoC solution was to modify vendor/magento/module-customer/etc/webapi_rest/di.xml and vendor/magento/module-user/etc/webapi_rest/di.xml so that types for userContext would be Proxies, and they would be created on-demand.

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
     <type name="Magento\Framework\Authorization">
        <plugin name="customerAuthorization" type="Magento\Customer\Model\Plugin\CustomerAuthorization" />
    </type>
    <type name="Magento\Authorization\Model\CompositeUserContext">
        <arguments>
            <argument name="userContexts" xsi:type="array">
                <item name="customerSessionUserContext" xsi:type="array">
 <!-- *********************** LET IT BE A PROXY ************************** -->
                    <item name="type" xsi:type="object">Magento\Customer\Model\Authorization\CustomerSessionUserContext\Proxy</item>
                    <item name="sortOrder" xsi:type="string">20</item>
                </item>
                <item name="adminSessionUserContext" xsi:type="array">
 <!-- *********************** LET IT BE A PROXY ************************** -->
                    <item name="type" xsi:type="object">Magento\User\Model\Authorization\AdminSessionUserContext\Proxy</item>
                    <item name="sortOrder" xsi:type="string">30</item>
                </item>
            </argument>
        </arguments>
    </type>
</config>

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
    <type name="Magento\Authorization\Model\CompositeUserContext">
        <arguments>
            <argument name="userContexts" xsi:type="array">
                <item name="adminSessionUserContext" xsi:type="array">
 <!-- *********************** LET IT BE A PROXY ************************** -->
                    <item name="type" xsi:type="object">Magento\User\Model\Authorization\AdminSessionUserContext\Proxy</item>
                    <item name="sortOrder" xsi:type="string">30</item>
                </item>
            </argument>
        </arguments>
    </type>
</config>

I do not know which one of the changes fixed the issue, but I achieved the expected result.

Metadata

Metadata

Assignees

Labels

Component: Framework/WebapiUSE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog WEB API use just CatalogFixed in 2.4.xThe issue has been fixed in 2.4-develop branchIssue: Clear DescriptionGate 2 Passed. Manual verification of the issue description passedIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedIssue: Format is validGate 1 Passed. Automatic verification of issue format passedIssue: Ready for WorkGate 4. Acknowledged. Issue is added to backlog and ready for developmentPriority: P2A defect with this priority could have functionality issues which are not to expectations.Reproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branchSeverity: S3Affects non-critical data or functionality and does not force users to employ a workaround.bug report

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions