Skip to content

[Profiler][SecurityBundle] Logout link in the profiler causes "Session was used while the request was declared stateless." #61525

New issue
New issue
Open
Open
[Profiler][SecurityBundle] Logout link in the profiler causes "Session was used while the request was declared stateless."#61525
Labels
BugSecurityBundleStatus: Needs ReviewStatus: Waiting feedbackWebProfilerBundle
@micheh

Description

@micheh
micheh
opened on Aug 25, 2025

Symfony version(s) affected

6.4.24

Description

In the SecurityDataCollector, the LogoutUrlGenerator is used to add a logout link to the profiler:

symfony/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php

Line 110 in 5c143ba

$logoutUrl = $this->logoutUrlGenerator?->getLogoutPath();

The problem is that LogoutUrlGenerator fetches the token from the session, which counts as a session usage. If the current route is stateless and the firewall is a regular stateful firewall, this will generate the exception: Session was used while the request was declared stateless.

This only occurs if there is a token in the session, as the SecurityDataCollector only generates the logout path if there is a token in the storage.

How to reproduce

  1. Configure a regular (stateful) firewall
  2. Make sure there is a token in the session (e.g. by visiting a login route)
  3. Visit the stateless route

Possible Solution

No response

Additional Context

Reproducer repository: https://github.com/micheh/stateless-bug
Visit / to automatically login and then go to /stateless

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityBundleStatus: Needs ReviewStatus: Waiting feedbackWebProfilerBundle

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions