From 33fc80cbc2331167023aa5b05e93f85718e5c816 Mon Sep 17 00:00:00 2001
From: r-dev <matthieu@yuno.malio.fr>
Date: Sun, 8 Mar 2026 14:30:38 +0100
Subject: [PATCH] fix(security) : disable session migration on API firewall
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Symfony's default session_fixation_strategy (migrate) regenerated the
session ID on every authenticated request, breaking concurrent API calls
from the SPA — only the first request succeeded, all others got 401.
The login controller already calls $session->migrate(true) explicitly,
so disabling automatic migration is safe.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 config/packages/security.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 60ef91c..49f1b61 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -1,4 +1,9 @@
 security:
+    # Login controller already calls $session->migrate(true) on login.
+    # Keeping 'migrate' would regenerate the session ID on every authenticated
+    # API request, which breaks concurrent requests from the SPA (race condition).
+    session_fixation_strategy: none
+
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
         Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'