Drupal Release: 8.6.14

TL;DR

Drupal 8.6.14 is a minor release that fixes a critical session handling bug where lazy-started sessions with data were not being properly saved when using symfony/http-foundation 3.4.24. This issue could potentially lead to session data loss, affecting user experiences across the platform.

Highlight of the Release

• Fixed critical session handling bug where lazy-started sessions with data were not being saved
• Improved compatibility with symfony/http-foundation 3.4.24
• Enhanced reliability of user authentication and session management

Migration Guide

No migration steps are required for this update. This is a drop-in replacement that fixes the session handling bug without requiring configuration changes or code modifications.

Upgrade Recommendations

Immediate Upgrade Recommended

All sites running Drupal 8.6.13 or earlier in the 8.6.x branch should upgrade to 8.6.14 immediately, especially if you're using symfony/http-foundation 3.4.24. This release fixes a critical session handling bug that could result in lost user session data.

The update process follows the standard Drupal minor version upgrade path:

1. Back up your database and site files
2. Put the site in maintenance mode
3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
4. Run the database updates
5. Clear caches
6. Take the site out of maintenance mode

Bug Fixes

Session Data Saving Fix

Fixed a critical issue where lazy-started sessions with session data were not being properly saved when using symfony/http-foundation 3.4.24. This bug could cause session data to be lost, potentially affecting user authentication, form submissions, and other session-dependent functionality.

The fix addresses the core session handling mechanism to ensure proper saving of session data regardless of how the session was initiated.

Reference: Issue #3045349

New Features

No new features were added in this release. This is a bugfix release focused on resolving a critical session handling issue.

Security Updates

While not explicitly labeled as a security fix, the session handling bug that was fixed could potentially have security implications, as lost session data might affect authentication states and user-specific information. By ensuring proper session data persistence, this release helps maintain the security integrity of session management.

Performance Improvements

No specific performance improvements were included in this release. The focus was on fixing the critical session handling bug.

Impact Summary

Drupal 8.6.14 addresses a critical bug in session handling that could cause session data to be lost when using symfony/http-foundation 3.4.24. This issue primarily affected sites where lazy-started sessions were being used.

The impact of this fix is significant for maintaining consistent user experiences across Drupal sites. Without this fix, users might experience unexpected logouts, lost form data, or other session-dependent functionality failures. Site administrators would see increased support requests related to authentication issues, and developers would face challenges debugging seemingly random session problems.

By upgrading to 8.6.14, sites will benefit from more reliable session management, reducing user frustration and support overhead. The fix ensures that session data is properly saved regardless of how the session was initiated, providing a more stable foundation for all session-dependent functionality.