From e56539cd6e15bbb0a68a609bcca1c5de324ed1c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Santiago=20San=20Mart=C3=ADn?= Date: Tue, 15 Apr 2025 22:42:30 -0300 Subject: [PATCH] [HttpFoundation] Clarify behavior of session access via RequestStack to avoid auto-starting sessions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Symfony documentation states that sessions are automatically started when accessed (read/write/check), and recommends avoiding session access for anonymous users to prevent unnecessary session cookies. However, obtaining the session via `Request::getSession()` or `RequestStack::getSession()` may throw a `SessionNotFoundException` if no session has been started yet — contradicting the suggestion to simply "avoid accessing the session". This PR adds clarification/code handling to: - Prevent unintended session creation when checking for session presence - Avoid potential exceptions when attempting to retrieve a session too early - Align with Symfony's performance recommendation for anonymous users I might be misunderstanding the intended behavior, so if that's the case, I apologize and will happily close this PR. Just wanted to raise the concern in case it helps improve clarity. --- session.rst | 5 ----- 1 file changed, 5 deletions(-) diff --git a/session.rst b/session.rst index 9ddf3eb028d..108de39c498 100644 --- a/session.rst +++ b/session.rst @@ -107,11 +107,6 @@ By default, session attributes are key-value pairs managed with the :class:`Symfony\\Component\\HttpFoundation\\Session\\Attribute\\AttributeBag` class. -Sessions are automatically started whenever you read, write or even check for -the existence of data in the session. This may hurt your application performance -because all users will receive a session cookie. In order to prevent starting -sessions for anonymous users, you must *completely* avoid accessing the session. - .. note:: Sessions will also be started when using features that rely on them internally,