New in Symfony 4.2: SameSite cookie configuration
Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.
Symfony added support for SameSite cookie attributes in Symfony 3.2 (November 2016). The SameSite attribute prevents the browser from sending cookies along with cross-site requests. In practice, this mitigates the risk of cross-origin information leakage and provides some protection against CSRF attacks.
In Symfony 4.2 we've made it easier to set this attribute in several parts of the framework.
The Remember Me feature now defines a new config option called
to set the value of this attribute in the cookie used by this feature:
1 2 3 4 5 6 7 8 9 10 11 12
# config/packages/security.yaml security: # ... firewalls: main: # ... remember_me: # ... # possible values: 'strict', 'lax' and null samesite: 'strict'
Similarly, the cookies used to manage user sessions now define a new config
cookie_samesite with the same possible values (
1 2 3 4 5 6
# config/packages/framework.yaml framework: # ... session: # ... cookie_samesite: 'strict'
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.