Magento2: WEBAPI: PHP session is always started 2.1.2

Created on 27 Oct 2016  路  7Comments  路  Source: magento/magento2

Although REST API should be stateless for anonymous calls, PHP session is always created. This is caused by the fact that session_start() is called implicitly from '\Magento\Framework\Session\SessionManager' constructor.

There are 2 issues with this: Spammed PHP session which will never be used, if remote address validation is enabled for sessions, clients with dynamic IP address will get 302 redirect instead of REST API result, and this is undesirable.

Preconditions

  1. Magento 2.4-develop

Steps to reproduce

  1. Make a REST request, for example from Swagger UI, but it can be a request from any client. For example, call /V1/directory/countries

Expected result

  1. Received JSON response with countries;
  2. No PHP session is started;
  3. No PHPSESSID in the response cookies.

Actual result

  1. PHP session is started and is perhaps never used (because the request is anonymous)

Why?

The reason for this is that in di.xml \Magento\Authorization\Model\CompositeUserContext is fed with userContexts argument, and at least 2 of them will start PHP session: customerSessionUserContext and adminSessionUserContext.

How to fix

My PoC solution was to modify vendor/magento/module-customer/etc/webapi_rest/di.xml and vendor/magento/module-user/etc/webapi_rest/di.xml so that types for userContext would be Proxies, and they would be created on-demand.


<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
     <type name="Magento\Framework\Authorization">
        <plugin name="customerAuthorization" type="Magento\Customer\Model\Plugin\CustomerAuthorization" />
    </type>
    <type name="Magento\Authorization\Model\CompositeUserContext">
        <arguments>
            <argument name="userContexts" xsi:type="array">
                <item name="customerSessionUserContext" xsi:type="array">
 <!-- *********************** LET IT BE A PROXY ************************** -->
                    <item name="type" xsi:type="object">Magento\Customer\Model\Authorization\CustomerSessionUserContext\Proxy</item>
                    <item name="sortOrder" xsi:type="string">20</item>
                </item>
                <item name="adminSessionUserContext" xsi:type="array">
 <!-- *********************** LET IT BE A PROXY ************************** -->
                    <item name="type" xsi:type="object">Magento\User\Model\Authorization\AdminSessionUserContext\Proxy</item>
                    <item name="sortOrder" xsi:type="string">30</item>
                </item>
            </argument>
        </arguments>
    </type>
</config>


<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
    <type name="Magento\Authorization\Model\CompositeUserContext">
        <arguments>
            <argument name="userContexts" xsi:type="array">
                <item name="adminSessionUserContext" xsi:type="array">
 <!-- *********************** LET IT BE A PROXY ************************** -->
                    <item name="type" xsi:type="object">Magento\User\Model\Authorization\AdminSessionUserContext\Proxy</item>
                    <item name="sortOrder" xsi:type="string">30</item>
                </item>
            </argument>
        </arguments>
    </type>
</config>

I do not know which one of the changes fixed the issue, but I achieved the expected result.

FrameworWebapi Fixed in 2.4.x Clear Description Confirmed Format is valid Ready for Work P2 Reproduced on 2.4.x S3 bug report
Source
picture boldhedgehog

All 7 comments

@boldhedgehog, thank you for your report.
We've created internal ticket(s) MAGETWO-81390 to track progress on the issue.

magento-engcom-team picture magento-engcom-team on 10 Oct 2017

Hi @boldhedgehog. Thank you for your report.
The issue has been fixed in magento-engcom/magento2ce#1247 by @serhii-balko in 2.2-develop branch
Related commit(s):

  • a282973dfd04e40bfdabc1aa81c70db837043837
  • 6a5861053cac6781d4a1c349cdaea46874148470

The fix will be available with the upcoming patch release.

magento-team picture magento-team on 22 Jan 2018

Dear @magento-team, you have merged something wrong because this fix is in 2.2 but in 2.3 and later is not.

maqlec picture maqlec on 13 Dec 2019
👍1

I re-opened this task. Issue was fixed in 2.2.x, but not in 2.3.x and 2.4.x release lines. https://github.com/magento/magento2/pull/26032 fixes this issue

ihor-sviziev picture ihor-sviziev on 20 May 2020

Hi @engcom-Delta. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

  • [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
    DetailsIf the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

  • [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

  • [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

  • [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

    Details- Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
    - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!

  • [ ] 5. Add label Issue: Confirmed once verification is complete.

  • [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

m2-assistant[bot] picture m2-assistant[bot] on 1 Jul 2020

:white_check_mark: Confirmed by @engcom-Delta
Thank you for verifying the issue. Based on the provided information internal tickets MC-35585 were created

Issue Available: @engcom-Delta, _You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself._

magento-engcom-team picture magento-engcom-team on 1 Jul 2020

Hi @boldhedgehog. Thank you for your report.
The issue has been fixed in magento/magento2#26032 by @maqlec in 2.4-develop branch
Related commit(s):

The fix will be available with the upcoming 2.4.1 release.

slavvka picture slavvka on 1 Aug 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ostmond picture ostmond  路  3Comments
kandrejevs picture kandrejevs  路  3Comments
MauroNigrele picture MauroNigrele  路  3Comments
spyrule picture spyrule  路  3Comments
andreaskoch picture andreaskoch  路  3Comments