In PHP, setting the secure parameter to true in the setcookie() or
session_set_cookie_params() functions make cookies to be sent only when the
connection is secure and uses HTTPS.
In Symfony applications you can control this behavior with the
framework.session.cookie_secure option, which is a boolean that defaults to
false. In order to improve the application security, in Symfony 4.2 we
made cookies secure automatically.
The new default value of the cookie_secure option is null, which makes
cookies secure when the request is using HTTPS and doesn't modify them when the
request uses HTTP. The new behavior is a good balance between making your app
"safe by default" and not breaking any existing app.
Related to this, the cookie used in the Remember Me feature now inherits the
default config used in the framework.session.cookie_* options, so the new
auto-secure behavior also applies to it.
In Symfony 5.0, to be released in November 2019, the default value of the
$secure argument of the Cookie class constructor will change from false
to null. In addition, the default value of the $samesite argument will
change from null to lax to use the new SameSite cookie configuration.
Good job !