0
votes

I have an old Symfony 2.4 app (with php 5) and a standard security (form_login firewall & role based authorization). Let's call it app1.

Now I'm creating a new Symfony 3.3 app (php 7) that I'd like to use keeping sessions so users can switch from one to an other seamlessly. Let's call it app2. The users' authentication and storage would still be managed by app1.

These apps are hosted on the same domain, different subdomains. I managed to share the app1 session files into app2 (with Docker volumes).

Here is the session configuration of both apps:

framework:
    session:
        handler_id: session.handler.native_file
        save_path: '%kernel.root_dir%/../var/sessions/%kernel.environment%'
        cookie_domain: myapp.dev

So when I'm logged into app1 I'm expecting to be considered logged into app2 as well.
I'm seeing app2 sending the right cookie but it crashes saying :

Warning: Class __PHP_Incomplete_Class has no unserializer

It is actually trying to unserialize app1's user from the session but does not have the related User implementation in app2.

How can app2 know that I'm logged in app1 ?

1
How do you share session cookie between 2 domains? Could you confirm you send the same session id to both domains? E.g. using Chrome dev tools, net tab.Alex Blex
Not in the symfony configs. You will need to re-configure the web: tools.ietf.org/html/rfc6265#section-4.1.2.3. Domain names are kind of namespaces for cookies. You will need to use some storage clientside with js and 302 redirects to make cross-domain cookies to work.Alex Blex

1 Answers

1
votes

Obviously you can't share session files without sharing the classes, which is hardly an option considering a gap between versions.

In general case you would need to use one of single sign on systems - OAuth2, OpenId, etc. e.g. https://github.com/FriendsOfSymfony/FOSOAuthServerBundle

Alternatively you can do it manually, which will require a bit more coding, but can be tailored to your needs and potentially smaller operational costs. In this case your app1 should provide an API to return user info by sessionId, and app2 should implement custom authentication to query this API. The API should not be exposed, and be available only to the app2 container.