Use a shared session cookie between admin and website #256
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexander-schranz
force-pushed
the
feature/shared-session-cookie
branch
from
77c0ea2
to
51f64dd
Compare
alexander-schranz
force-pushed
the
feature/shared-session-cookie
branch
from
51f64dd
to
2707dcd
Compare
Prokyonn
approved these changes
Sep 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's in this PR?
Use a shared session cookie between admin and website.
Why?
Depending on which cookies already exists and login into admin after website and other way around you might get logout of the other session. Because session get invalidated by a login.
After some different options and tries with our Partner iCapps (@matthiasseghers) I find sharing the session on the same path and optional document the invalidate_session config is the way to go.
Historically we did put the cookie_path differently to avoid the same issue but it did not work in all cases. Also previously we had 2 different security.yaml and so website yaml didn't know about admin yaml security config and that did force us also different ways. With the way to a single security yaml I also think there speaks nothing against a single session now.
I would also prepare a 3.0 merge request to not longer prepend the
cookie_pathin 3.0 in: https://github.com/sulu/sulu/blob/9ee10853304f2dc39e84a3a91da8e3e193d74391/src/Sulu/Bundle/SecurityBundle/DependencyInjection/SuluSecurityExtension.php#L182