New in Symfony 4.2: Auto-secure cookies
In PHP, setting the
secure parameter to
true in the
session_set_cookie_params() functions make cookies to be sent only when the
connection is secure and uses HTTPS.
In Symfony applications you can control this behavior with the
framework.session.cookie_secure option, which is a boolean that defaults to
false. In order to improve the application security, in Symfony 4.2 we
made cookies secure automatically.
The new default value of the
cookie_secure option is
null, which makes
cookies secure when the request is using HTTPS and doesn't modify them when the
request uses HTTP. The new behavior is a good balance between making your app
"safe by default" and not breaking any existing app.
Related to this, the cookie used in the Remember Me feature now inherits the
default config used in the
framework.session.cookie_* options, so the new
auto-secure behavior also applies to it.
In Symfony 5.0, to be released in November 2019, the default value of the
$secure argument of the
Cookie class constructor will change from
null. In addition, the default value of the
$samesite argument will
lax to use the new SameSite cookie configuration.