Symfony: Warning: session_start(): Failed to decode session object. Session has been destroyed

1
votes

Symfony gives me an error when I try to switch users (impersonate) using _switch_user. It started happening probably after changing sessions table name. Everything else works fine (setting and getting data from session without impersonating).

Warning: session_start(): Failed to decode session object. Session has been destroyed

Precise error from logs

[2020-05-21 11:28:37] php.WARNING: Warning: session_start(): Failed to decode session object. Session has been destroyed {"exception":"[object] (ErrorException(code: 0): Warning: session_start(): Failed to decode session object. Session has been destroyed at /app/my_app/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php:151)"} []

Precise line which triggers an error (\src\EventListener\MyListener.php)

public function onKernelRequest(RequestEvent $event) {
   $request = $event->getRequest();
   $request->getSession()->set('hash', $_ENV['HASH']);
}

My session handler config (config\services.yml)

Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler:
        public: false
        arguments:
            - 'mysql:host=%env(DATABASE_HOST)%;dbname=%env(DATABASE_NAME)%'
            - { db_table: 'my_sessions', db_username: '%env(DATABASE_USER)%', db_password: '%env(DATABASE_PASSWORD)%', lock_mode: 0 }

My session config (config\packages\framework.yml)

session:
        handler_id: Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler
        cookie_samesite: 'none'
        cookie_secure: true
        cookie_httponly: true
        gc_probability: 0

I am using

  • Symfony 4.4.2
  • PHP 7.2
  • "friendsofsymfony/user-bundle": "2.1.2"
1
phpsymfonysession

1 Answers

1
votes

I think I encountered today the same problem as you. I'm working with Symfony 5, but it is also the same for Symfony 4. The problem was because my User had a ManytoMany relation and in some case, the full object, with all the children entities was serialized and stored in session. On PdoSessionHandler the data is stored in a BLOB field which is limited to 64Kb and my serialized object was getting over 100Kb !

Steps to verify

When your page crashes in dev mode, it is on the redirect after your post. Go on the debug bar, on the bottom left, where it is written 500 and open the menu. You should see : Redirect from POST @route (profile). profile is a link so click on it. In the profiler go on Request/Response > ** session **. There you should see, in Session Attributes a key starting with _security_ and the name of your firewall (mine was admin, so it was _security_admin ). There you should see the data stored, if it exceeds 64K, that's it!

Steps to fix

You have to implement the Serializable interface in your user entity as stated here : https://symfony.com/doc/4.0/security/entity_provider.html (this also works in SF 5). This will make the serialized object much lighter!

Be careful

Changing serialization may have impact on other features in your site so be careful of side effects. Also I had a problem because I have a custom getUsername() and this method is used for user verification, so be aware that your custom methods may have an impact on user verification!