Area Sessions: Magento 2 Should not Allow "area-less" Sessions During an Area Aware Request

[astorm]

Magento 2, like Magento 1, currently uses the PHP session_name function to set a session name of frontend or adminhtml. This separates area sessions and is a good thing.

However, if a Magento module developer observes an event that fires prior to an area existing, and in that observer instantiates a session — Magento's session code will not have an area name to use for the session name. Instead, PHP will use the default session name.

This MUST NOT happen. This creates a situation where the system seems to behave normally, but is saving session information to the wrong area. If the module developer's code path is called for every request, it means session area data is not longer split between the frontend and backend. If the module developer's code path is called conditionally, it means session data is being saved/read from both the area session store and the default PHP session store intermittently. This creates seemingly random system behavior.

Both these situation create potential instability in the system, and have led to a number of confusing and intermittent bugs over the years with Magento 1.

The simplest solution would be a fatal exception

#File: lib/Magento/Session/SessionManager.php
if (!empty($sessionName)) {
    $this->setName($sessionName);
}
else
{
    throw new Exception('Arealess session not allowed');    
}

However, any solution will have implications for existing system code across the board. Therefore, a decision on the right solution is in the responsibility of the system system owner (eBay), and not the the external community.

[verklov]

@astorm, thank you for reporting this! The issue is in the product backlog. We will notify you once the team finishes the analysis.

[vpelipenko]

Internal ticket: MAGETWO-23159

[vpelipenko]

This issues was fixed and available from 0.74.0-beta8. Could you it on this version?