Details
-
Bug
-
Resolution: Fixed
-
High
-
2014.05, 5.3.2
Description
As of 5.3 / 2014.03, sessions are supposed to be lazy again, managed by Symfony. This was made possible by handling user authentication by Symfony security component.
However, accessing an eZ 5.3 website (frontend) will always start a session (and send a session cookie if one does not yet exist), even for anonymous users.
Culprit is eZ\Bundle\EzPublishLegacyBundle\LegacyMapper\Security::onKernelBuilt(). It indeed injects any user authenticated in the Repository in the legacy kernel, using eZUser::setLoggedInUser(), which triggers session start.
Steps to reproduce:
> curl -I http://ezp53.local/ HTTP/1.1 200 OK Date: Wed, 16 Jul 2014 19:04:59 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.4.30-2+deb.sury.org <http://deb.sury.org>~__precise+1 Set-Cookie: eZSESSID=__fdtp4lbsnd59v9rnccgs6cgnj0; path=/