Problem/Motivation
Third party implementations should be able to modify session options and therefore DrupalKernel::initializeCookieGlobals() needs to be replaced by a service. Regrettably #2331909: Move DrupalKernel::initializeCookieGlobals() into page cache kernel decorator encountered major road blocks, therefore let's try a different approach.
A couple of PHP ini-settings need to be set up correctly in order to ensure that sessions are safe and work seamlessly. In Drupal most of those values were enforced from within settings.php. However, the value of some of those ini-settings depend on a request object with reverse proxy headers already validated. It follows that those values cannot be set statically in a config file or as a container parameter but need to be determined at runtime. This applies for the session_name (in order to properly keep apart secure (HTTPS-only) session cookies from plain ones), but also for the cookie_domain.
The NativeSessionStorage class (the parent class of the Drupal SessionManager), accepts an array of ini-options as a constructor argument. It also can receive it through its setOptions method. However, Symfony does not support advanced use-cases like the ones outlined above out of the box.
Taking the best of both worlds, let's introduce the session.storage.options container parameter and augment those using a new session_configuration service just before a session is started.
It has been suggested elsewhere (#1934730-8: Alternative session handler implementation is not able to override session_name()) that the responsibility of setting the session name should be moved to the SessionManager. However, that would result in the session manager being instantiated including all of its dependencies when the page cache request policy desires to verify whether there is a session cookie on an incoming request. The session configuration service does not have any dependencies and therefore it is save to assume that its instantiation has less impact on the response time when pages are served from the cache.
Proposed resolution
Introduce a Drupal\Core\Session\SessionConfiguration service which is capable of choosing session ini-values on a per request basis. Sites and modules which need to modify session ini settings (like e.g. Secure Pages) may supply their own implementation of the session configuration service.
Note, this ensures that even though global $cookie_domain is replaced by a container parameter, it is still possible for the session configuration service to choose a different value for session.cookie_domain based on the request.
Remaining tasks
Review.
User interface changes
None.
API changes
- Replace the
global $cookie_domainby a container parameter. - Move session related ini settings from
settings.phpto a container parameter.
Beta phase evaluation
| Issue category | Bug because it is resolving #1934730: Alternative session handler implementation is not able to override session_name() |
|---|---|
| Issue priority | Major because it provides contrib with a clean way to implement mixed mode SSL support (Secure Pages). This resolves a temporary regression introduced by #2342593: Remove mixed SSL support from core. |
| Disruption | Moderately disruptive for existing sites because they might need to replicate the changes to site settings.php, services.yml |