Skip to content

Unify null session behaviour for TempData and SupplyParameterFromTempData#67641

Open
dariatiurina wants to merge 4 commits into
dotnet:mainfrom
dariatiurina:67175-nullsession-tempdata-sessiondata
Open

Unify null session behaviour for TempData and SupplyParameterFromTempData#67641
dariatiurina wants to merge 4 commits into
dotnet:mainfrom
dariatiurina:67175-nullsession-tempdata-sessiondata

Conversation

@dariatiurina

@dariatiurina dariatiurina commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Unify null/unavailable session handling for Session and TempData

Summary

The Blazor Endpoints session and TempData features handled a missing/unavailable session inconsistently — some paths threw, some silently returned empty, and some returned null. This PR unifies the behavior across all of them:

  • A session is expected but unavailable while an HttpContext is present (static SSR misconfiguration) → fail fast with InvalidOperationException.
  • No HttpContext at all (interactive Server circuit / WebAssembly) → yield null/empty gracefully and log a single warning.
  • Untrusted/corrupt stored data → swallowed, falling back to empty (unchanged).

Changes

  • New SessionResolver helper — one place that resolves HttpContext.Session and throws InvalidOperationException when session middleware isn't configured or the feature exposes a null session. Uses the same message as HttpContext.Session so every path surfaces an identical exception.
  • SessionCascadingValueSupplier ([SupplyParameterFromSession])GetSession() returns null only when there is no HttpContext (interactive rendering); otherwise it routes through SessionResolver and fails fast. A single SessionUnavailable warning is logged when the parameter is skipped on read or persist (previously silent).
  • SessionStorageTempDataProvider — load and save now resolve the session via SessionResolver.GetRequiredSession. On load, session access moved outside the try so a missing/unconfigured session fails fast instead of being swallowed into empty TempData; only deserialization errors remain swallowed.
  • TempDataCascadingValueSupplier ([SupplyParameterFromTempData]) — logs a TempDataUnavailableForRead warning when the parameter is skipped during interactive rendering (previously silent), matching the session supplier.
  • CookieTempDataProvider — narrowed the load try/catch to wrap only the decode/unprotect/deserialize of untrusted cookie data. Cookie retrieval and not-found checks now sit outside the try, so unexpected errors surface instead of being silently swallowed as "no TempData". Corrupt/tampered cookie data still degrades gracefully to empty and clears the cookie.

Resulting behavior

Class Store unavailable (SSR, context present) Interactive (no HttpContext) Corrupt/unreadable data
SessionCascadingValueSupplier throws InvalidOperationException warns + null deserialization swallowed → null
TempDataCascadingValueSupplier n/a (uses ITempData) warns + null deserialization swallowed → null
SessionStorageTempDataProvider throws InvalidOperationException n/a (SSR-only) deserialization swallowed → empty
CookieTempDataProvider n/a (cookies always available) n/a (SSR-only) decode/deserialize swallowed → empty + clears cookie

Testing

Unit tests updated/added across the affected classes:

  • SessionCascadingValueSupplierTest — persist throws when a context is present but the session is unconfigured/null; logs SessionUnavailable and skips when no HttpContext.
  • SessionSubscriptionTest — read throws when the session is null with a context present; returns null and logs SessionUnavailable when no HttpContext.
  • SessionStorageTempDataProviderTest — load and save throw when the session is unconfigured/null; corrupt session data still returns empty.
  • TempDataSubscriptionTest — read returns null and logs TempDataUnavailableForRead when no HttpContext.

E2E test assets:

  • Added StreamingCookieTempDataPersistence.razor (/streaming-cookie-tempdata-persistence) — a cookie-only streaming page that mirrors the existing streaming scenario without [SupplyParameterFromSession]. TempDataCookieTest.StreamingSSR_CookieTempData_DoesNotPersistValuesWrittenAfterFirstFlush now targets this page. Because [SupplyParameterFromSession] now fails fast when session middleware isn't configured, the cookie test app (which does not call UseSession) can no longer share the session-based streaming page. The session tests continue to use the original StreamingSessionPersistence.razor under --UseSession=true.

Breaking changes

No public API changes — all affected types are internal. There is an intentional runtime behavior change for misconfigured apps: paths that previously swallowed an unconfigured/unavailable session and returned empty/null during static SSR now throw InvalidOperationException to surface the misconfiguration early. Concretely, using [SupplyParameterFromSession] (or the session-backed TempData provider) on a page rendered by an app that has not configured session middleware (AddSession/UseSession) now throws during SSR instead of silently yielding null/empty. Interactive rendering behavior is unchanged (no HttpContext → still yields null/empty, now with a warning log).

Fixes #67175

@dariatiurina dariatiurina marked this pull request as ready for review July 8, 2026 08:48
@dariatiurina dariatiurina requested a review from a team as a code owner July 8, 2026 08:48
Copilot AI review requested due to automatic review settings July 8, 2026 08:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR unifies how Blazor Endpoints features behave when session/TempData storage is missing or unavailable, making SSR misconfiguration fail fast while keeping interactive rendering resilient (and now logged).

Changes:

  • Added a shared SessionResolver to centralize “required session” resolution and unify the thrown InvalidOperationException behavior/message.
  • Updated session- and TempData-backed suppliers/providers to consistently throw during SSR misconfiguration and to log warnings when used without an HttpContext (interactive rendering).
  • Updated/added unit and E2E coverage, including a new streaming page dedicated to cookie TempData persistence scenarios.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/Components/test/testassets/Components.TestServer/RazorComponents/Pages/StreamingRendering/StreamingCookieTempDataPersistence.razor Adds a cookie-only streaming page for TempData persistence E2E scenarios.
src/Components/test/E2ETest/Tests/TempDataCookieTest.cs Points the streaming cookie TempData E2E test to the new cookie-only page.
src/Components/Endpoints/test/TempData/TempDataSubscriptionTest.cs Adds coverage ensuring a warning is logged when TempData is read without an HttpContext.
src/Components/Endpoints/test/TempData/SessionStorageTempDataProviderTest.cs Updates tests to expect exceptions for misconfigured/null session scenarios.
src/Components/Endpoints/test/Session/SessionSubscriptionTest.cs Adds coverage for warning logging (no HttpContext) and throws when session is null with context present.
src/Components/Endpoints/test/Session/SessionCascadingValueSupplierTest.cs Updates tests for new warning/throw behavior during persist paths.
src/Components/Endpoints/src/TempData/TempDataCascadingValueSupplier.cs Adds a warning log when [SupplyParameterFromTempData] is used without an HttpContext.
src/Components/Endpoints/src/TempData/SessionStorageTempDataProvider.cs Uses SessionResolver.GetRequiredSession so missing/null session fails fast instead of being swallowed.
src/Components/Endpoints/src/TempData/CookieTempDataProvider.cs Narrows the guarded try/catch to only untrusted cookie decode/unprotect/deserialize operations.
src/Components/Endpoints/src/SessionResolver.cs Introduces centralized session resolution with unified exception behavior.
src/Components/Endpoints/src/SessionCascadingValueSupplier.cs Uses SessionResolver and logs a warning when [SupplyParameterFromSession] is skipped due to no HttpContext.

Comment thread src/Components/Endpoints/src/TempData/CookieTempDataProvider.cs
@ilonatommy ilonatommy added the area-blazor Includes: Blazor, Razor Components label Jul 8, 2026

@ilonatommy ilonatommy left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the changes, I have only small cleanup ideas to not make the fix too verbose. In general, take a look at the added comments and think if they are necessary or if they can be rephrased to shorter, clearer versions.

Comment thread src/Components/Endpoints/src/TempData/CookieTempDataProvider.cs Outdated
Comment thread src/Components/Endpoints/src/SessionResolver.cs Outdated
@dariatiurina dariatiurina enabled auto-merge (squash) July 8, 2026 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-blazor Includes: Blazor, Razor Components

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unify null session handling for SessionData and TempData

3 participants