Since Symfony 6.3, when using a stateless authenticator it forces the request to be statless which causes problems with my setup using custom authenticators:
My tool doesn't perform the signin itself, it is performed by a custom SSO service which writes a session id cookie. This cookie is used to load the user info from a externel server to write it into the user object by a custom authenticator. This authenticator isn't using the buildin session in any way so it is defined stateless:
security:
main:
stateless: true
custom_authenticators: ['Auth\MySessionAuthenticator']
entry_point: 'auth.signin_web'
For our application itself we use the internal Symfony session independend from the auth system:
framework:
session:
enabled: true
handler_id: 'instance_of_redis_session_handler'
name: 'app_sessid'
In Symfony 6.2 this worked fine, since the auth system "stateless" option wasn't affecting the stateless flag of the request but now it causes an "Session was used while the request was declared stateless." exception.
Is there a way to get the old bahavior or do I have to rethink the way I hook into the Symfony auth system?
I facing the same problem and I found the new behaviour in docs https://symfony.com/doc/current/reference/configuration/security.html#stateless
Stateless firewall marking routes stateless was introduced in Symfony 6.3.
This means that if you activate the stateless in your firewall you must deactivate it in your routes. For example:
controllers:
resource:
path: ../src/Controller/
namespace: App\Controller
type: attribute
stateless: false
You can see how works here https://symfony.com/doc/current/routing.html#stateless-routes