Allow session to be started by other app (not Nette)
- mikeb
- Member | 33
regarding this
thread, when using as stand-alone Nette forms I can't use CSRF protection
when another (non-nette) part of code has already started the session before the
form is rendered. (there's a fatal exception:
Unable to set 'session.use_only_cookies' to value '1...)
However in ` Nette\Http\Session` there is a private static property
$started that is always set to false, so then nette starts the
session. Could there be a config option to allow session $started
to be set to true, or ‘smart’ where it can test for a current session? and
could that config option not rely on the main config.neon as this is not part of
the standalone forms.
that way forms could play nicely with other code and frameworks and spread the nette awesomeness!
thanks of considering it.
Mike
- David Grudl
- Nette Core | 8218
Nette can work with already started session, it only checks if it is safe. It
for example means that session.use_only_cookies must be enabled. So
simply enable this configuration option in PHP and it will work.
