New in Symfony 4.2: Auto-secure cookies
Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.
Contributed by
Nicolas Grekas
in #28447 and
#28446.
In PHP, setting the secure
parameter to true
in the setcookie()
or
session_set_cookie_params()
functions make cookies to be sent only when the
connection is secure and uses HTTPS.
In Symfony applications you can control this behavior with the
framework.session.cookie_secure option, which is a boolean that defaults to
false
. In order to improve the application security, in Symfony 4.2 we
made cookies secure automatically.
The new default value of the cookie_secure
option is null
, which makes
cookies secure when the request is using HTTPS and doesn't modify them when the
request uses HTTP. The new behavior is a good balance between making your app
"safe by default" and not breaking any existing app.
Related to this, the cookie used in the Remember Me feature now inherits the
default config used in the framework.session.cookie_*
options, so the new
auto-secure behavior also applies to it.
In Symfony 5.0, to be released in November 2019, the default value of the
$secure
argument of the Cookie
class constructor will change from false
to null
. In addition, the default value of the $samesite
argument will
change from null
to lax
to use the new SameSite cookie configuration.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.