Allow session to be started by other app (not Nette)

9 months ago

mikeb
Member | 30
+
+2
-

regarding this thread, when using as stand-alone Nette forms I can't use CSRF protection when another (non-nette) part of code has already started the session before the form is rendered. (there's a fatal exception: Unable to set 'session.use_only_cookies' to value '1...)
However in ` Nette\Http\Session` there is a private static property $started that is always set to false, so then nette starts the session. Could there be a config option to allow session $started to be set to true, or ‘smart’ where it can test for a current session? and could that config option not rely on the main config.neon as this is not part of the standalone forms.

that way forms could play nicely with other code and frameworks and spread the nette awesomeness!

thanks of considering it.
Mike

9 months ago

David Grudl
founder | 6692
+
0
-

Nette can work with already started session, it only checks if it is safe. It for example means that session.use_only_cookies must be enabled. So simply enable this configuration option in PHP and it will work.

9 months ago

mikeb
Member | 30
+
0
-

thanks for your reply. i changed session.use_only_cookies=1 in php.ini, restarted and still get the error i mentioned. phpinfo.php confirms session.use_only_cookies On
this is nette 2.4 forms (standalone), on xampp / php 5.6.8 /win10–64

other suggestions?

thanks

9 months ago

tpr
Member | 55
+
0
-

Neither worked here when I tried yesterday, only modifying $started in Session worked so far.