Unify null session behaviour for TempData and SupplyParameterFromTempData#67641
Open
dariatiurina wants to merge 4 commits into
Open
Unify null session behaviour for TempData and SupplyParameterFromTempData#67641dariatiurina wants to merge 4 commits into
dariatiurina wants to merge 4 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR unifies how Blazor Endpoints features behave when session/TempData storage is missing or unavailable, making SSR misconfiguration fail fast while keeping interactive rendering resilient (and now logged).
Changes:
- Added a shared
SessionResolverto centralize “required session” resolution and unify the thrownInvalidOperationExceptionbehavior/message. - Updated session- and TempData-backed suppliers/providers to consistently throw during SSR misconfiguration and to log warnings when used without an
HttpContext(interactive rendering). - Updated/added unit and E2E coverage, including a new streaming page dedicated to cookie TempData persistence scenarios.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/Components/test/testassets/Components.TestServer/RazorComponents/Pages/StreamingRendering/StreamingCookieTempDataPersistence.razor | Adds a cookie-only streaming page for TempData persistence E2E scenarios. |
| src/Components/test/E2ETest/Tests/TempDataCookieTest.cs | Points the streaming cookie TempData E2E test to the new cookie-only page. |
| src/Components/Endpoints/test/TempData/TempDataSubscriptionTest.cs | Adds coverage ensuring a warning is logged when TempData is read without an HttpContext. |
| src/Components/Endpoints/test/TempData/SessionStorageTempDataProviderTest.cs | Updates tests to expect exceptions for misconfigured/null session scenarios. |
| src/Components/Endpoints/test/Session/SessionSubscriptionTest.cs | Adds coverage for warning logging (no HttpContext) and throws when session is null with context present. |
| src/Components/Endpoints/test/Session/SessionCascadingValueSupplierTest.cs | Updates tests for new warning/throw behavior during persist paths. |
| src/Components/Endpoints/src/TempData/TempDataCascadingValueSupplier.cs | Adds a warning log when [SupplyParameterFromTempData] is used without an HttpContext. |
| src/Components/Endpoints/src/TempData/SessionStorageTempDataProvider.cs | Uses SessionResolver.GetRequiredSession so missing/null session fails fast instead of being swallowed. |
| src/Components/Endpoints/src/TempData/CookieTempDataProvider.cs | Narrows the guarded try/catch to only untrusted cookie decode/unprotect/deserialize operations. |
| src/Components/Endpoints/src/SessionResolver.cs | Introduces centralized session resolution with unified exception behavior. |
| src/Components/Endpoints/src/SessionCascadingValueSupplier.cs | Uses SessionResolver and logs a warning when [SupplyParameterFromSession] is skipped due to no HttpContext. |
ilonatommy
approved these changes
Jul 8, 2026
ilonatommy
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unify null/unavailable session handling for Session and TempData
Summary
The Blazor Endpoints session and TempData features handled a missing/unavailable session inconsistently — some paths threw, some silently returned empty, and some returned
null. This PR unifies the behavior across all of them:HttpContextis present (static SSR misconfiguration) → fail fast withInvalidOperationException.HttpContextat all (interactive Server circuit / WebAssembly) → yieldnull/empty gracefully and log a single warning.Changes
SessionResolverhelper — one place that resolvesHttpContext.Sessionand throwsInvalidOperationExceptionwhen session middleware isn't configured or the feature exposes anullsession. Uses the same message asHttpContext.Sessionso every path surfaces an identical exception.SessionCascadingValueSupplier([SupplyParameterFromSession]) —GetSession()returnsnullonly when there is noHttpContext(interactive rendering); otherwise it routes throughSessionResolverand fails fast. A singleSessionUnavailablewarning is logged when the parameter is skipped on read or persist (previously silent).SessionStorageTempDataProvider— load and save now resolve the session viaSessionResolver.GetRequiredSession. On load, session access moved outside thetryso a missing/unconfigured session fails fast instead of being swallowed into empty TempData; only deserialization errors remain swallowed.TempDataCascadingValueSupplier([SupplyParameterFromTempData]) — logs aTempDataUnavailableForReadwarning when the parameter is skipped during interactive rendering (previously silent), matching the session supplier.CookieTempDataProvider— narrowed the loadtry/catchto wrap only the decode/unprotect/deserialize of untrusted cookie data. Cookie retrieval and not-found checks now sit outside thetry, so unexpected errors surface instead of being silently swallowed as "no TempData". Corrupt/tampered cookie data still degrades gracefully to empty and clears the cookie.Resulting behavior
HttpContext)SessionCascadingValueSupplierInvalidOperationExceptionnullnullTempDataCascadingValueSupplierITempData)nullnullSessionStorageTempDataProviderInvalidOperationExceptionCookieTempDataProviderTesting
Unit tests updated/added across the affected classes:
SessionCascadingValueSupplierTest— persist throws when a context is present but the session is unconfigured/null; logsSessionUnavailableand skips when noHttpContext.SessionSubscriptionTest— read throws when the session isnullwith a context present; returnsnulland logsSessionUnavailablewhen noHttpContext.SessionStorageTempDataProviderTest— load and save throw when the session is unconfigured/null; corrupt session data still returns empty.TempDataSubscriptionTest— read returnsnulland logsTempDataUnavailableForReadwhen noHttpContext.E2E test assets:
StreamingCookieTempDataPersistence.razor(/streaming-cookie-tempdata-persistence) — a cookie-only streaming page that mirrors the existing streaming scenario without[SupplyParameterFromSession].TempDataCookieTest.StreamingSSR_CookieTempData_DoesNotPersistValuesWrittenAfterFirstFlushnow targets this page. Because[SupplyParameterFromSession]now fails fast when session middleware isn't configured, the cookie test app (which does not callUseSession) can no longer share the session-based streaming page. The session tests continue to use the originalStreamingSessionPersistence.razorunder--UseSession=true.Breaking changes
No public API changes — all affected types are
internal. There is an intentional runtime behavior change for misconfigured apps: paths that previously swallowed an unconfigured/unavailable session and returned empty/nullduring static SSR now throwInvalidOperationExceptionto surface the misconfiguration early. Concretely, using[SupplyParameterFromSession](or the session-backedTempDataprovider) on a page rendered by an app that has not configured session middleware (AddSession/UseSession) now throws during SSR instead of silently yieldingnull/empty. Interactive rendering behavior is unchanged (noHttpContext→ still yieldsnull/empty, now with a warning log).Fixes #67175