Legacy random session ID generation is incompatible with symfony/http-foundation v4.4.42

Created on 14 June 2022, over 3 years ago
Updated 9 September 2025, 23 days ago

Problem/Motivation

The release of symfony/http-foundation v4.4.42 validates and recreates the session ID when it's not valid.
\Drupal\Core\Session\SessionManager::getId() generates a random session ID if a session is not started yet.
The ID generated through \Drupal\Component\Utility\Crypt::randomBytesBase64() can contain invalid characters such as underscores.
The next time that the session is started, the Symfony component will regenerate the id and the session data will be lost.
Calling \Drupal\Core\Session\SessionManager::getId() is already deprecated as indicated in code and in this change record .

Steps to reproduce

This issue was encountered during tests while using the cas module version 1.7.0 but it can be reproduced by calling \Drupal\Core\Session\SessionManager::getId() before a session exists.

Proposed resolution

None at the moment, I'm creating this just as a reference for users that might run into the same.
It can be fixed by

  1. not calling getId() and using alternatives as explained in change record Drupal uses PHP session ID generation .
  2. locking symfony/http-foundation to 4.4.41, at least until the point above is fixed.

Writing a test is hard as the ID generation is random so it fails only sometimes.

Remaining tasks

To be discussed, since now calling the above method can actually create issues.

User interface changes

None.

API changes

TBD.

Data model changes

None.

🐛 Bug report
Status

Fixed

Version

9.4

Component

base system

Created by

🇮🇹Italy sardara

Live updates comments and jobs are added and updated live.
  • Contributed project blocker

    It denotes an issue that prevents porting of a contributed project to the stable version of Drupal due to missing APIs, regressions, and so on.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024