Session shouldn't start automatically
By default session handling is started automatically. This isn't useful when it comes to server/server communication.
Places where it should be fixed:
TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager line 130 * @FLOW3\Session(autoStart=true)
Package line 46/47
$dispatcher->connect('TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager', 'authenticatedToken', 'TYPO3\FLOW3\Session\SessionInterface', 'renewId');
$dispatcher->connect('TYPO3\FLOW3\Security\Authentication\AuthenticationProviderManager', 'loggedOut', 'TYPO3\FLOW3\Session\SessionInterface', 'destroy');
[!!!][TASK] Change session autostart handling for authentication providers
The session autostart annotation is set at the
providers, not at the authentication manager. By
this every provider can decide on its own, if a
session is needed or not.
Also adds a safeguard in the Session Logging Aspect
to prevent errors while trying to log renewId()
even though the session was not started yet.
[BUGFIX] Assure fresh session for functional tests
The changes done to resolve #35965 came with a functional
test that worked fine when run in isolation but failed when
run with other tests that would start a session.
This patch moves the $session->destroy() call in the
base test case from the tearDown() to the setUp()
method and fixes the behavior of destroy() in the
TransientSession which did not reset the "started"
#4 Updated by Robert Lemke over 7 years ago
Just for the record: it's not correct that sessions are generally started automatically - the "autostart" feature exists exactly for having more control over that behavior. What's right though is that the authenticate() method is starting a session because I did not consider authentication mechanisms which don't need sessions.