symfony - symfony2 session auto_start

Question

i would like to start the session when the login executed not before.

I found out, that teh csrf token starts a session too when i'm using it in my forms.

Now i disabled the csrf token but the system starts also a session.

Which parts of symfony2 are creating the session too?

How can i detect the correct party in my application with xdebug? I put the breakpoint in the Session.class but xdebug never stops on this point.

Thank you very much.

I'm using symfony 2.0.

This is my config.yml part

session:
    default_locale: %locale%
    lifetime: %session_lifetime%        
    path: /
    domain: %session_authdomain%            
    name: sid
    auto_start: false

This is my security.yml

security:
encoders:        
    DankeForumBundleEntityForumuser: sha512
    DankeForumBundleEntityAdmin: sha512

role_hierarchy:
    ROLE_MODERATOR: [ROLE_MANAGE_DEAL, ROLE_MANAGE_COMMENT]
    ROLE_ADMIN: [ROLE_MODERATOR, ROLE_MANAGE_CATEGORY, ROLE_MANAGE_AFFILIATELINK, ROLE_MANAGE_FORUMUSER, ROLE_MANAGE_BADLINK, ROLE_MANAGE_BADWORD]
    ROLE_SUPERADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH,  ROLE_MANAGE_EXCLUSIVEDEAL, ROLE_MANAGE_ADMIN]

providers:
    forumuser:
        providers: u_email, u_username
    u_email:
      entity: { class: DankeForumBundleEntityForumuser, property: email }
    u_username:
      entity: { class: DankeForumBundleEntityForumuser, property: username }
    admin:
        providers: a_email, a_username
    a_email:
      entity: { class: DankeForumBundleEntityAdmin, property: email }
    a_username:
      entity: { class: DankeForumBundleEntityAdmin, property: username }


firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false

    admin:
      # since anonymous is allowed users will not be forced to login
      pattern:   /admin/
      form_login:
        provider: admin
        login_path:  /admin
        check_path:  /admin/login
        always_use_default_target_path: true
        default_target_path: /admin/deal
      anonymous: false
      logout:
            path:   /admin/logout
            target: /admin

    public:
      # since anonymous is allowed users will not be forced to login
      pattern:   ^/.*          
      form_login:
        provider: forumuser
        login_path:  /login
        check_path:  /login_check/form
        #default_target_path: has to be declard in AuthenticationHandler
        success_handler: danke.forum.listener.authenticationhandler
        failure_handler: danke.forum.listener.authenticationhandler
      anonymous: true
      logout: true

access_control:
  //some access Control pages

Answer 1

In your public firewall, disable anonymous authentication cause it needs session to identify non-logged user.

You can replace by :

firewalls:
    public:
      # since anonymous is allowed users will not be forced to login
      pattern:   ^/.*   
      security: false