New in Symfony 4.2: SameSite cookie configuration

September 26, 2018 · Published by Avatar of Javier Eguiluz Javier Eguiluz

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Symfony added support for SameSite cookie attributes in Symfony 3.2 (November 2016). The SameSite attribute prevents the browser from sending cookies along with cross-site requests. In practice, this mitigates the risk of cross-origin information leakage and provides some protection against CSRF attacks.

In Symfony 4.2 we've made it easier to set this attribute in several parts of the framework.

SameSite attribute in "Remember Me"

Kévin Dunglas

Contributed by
Kévin Dunglas
in #27976.

The Remember Me feature now defines a new config option called samesite to set the value of this attribute in the cookie used by this feature:

1
2
3
4
5
6
7
8
9
10
11
12
# config/packages/security.yaml
security:
    # ...

    firewalls:
        main:
            # ...
            remember_me:
                # ...

                # possible values: 'strict', 'lax' and null
                samesite: 'strict'

SameSite attribute in sessions

Remon van de Kamp

Contributed by
Remon van de Kamp
in #28168.

Similarly, the cookies used to manage user sessions now define a new config option called cookie_samesite with the same possible values (strict, lax and null):

1
2
3
4
5
6
# config/packages/framework.yaml
framework:
    # ...
    session:
        # ...
        cookie_samesite: 'strict'
Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Randy Tellez Galan
Randy Tellez Galan said on Sep 26, 2018
what is the difference between lax and strict?
Avatar of Davey Hoogland
Davey Hoogland said on Sep 26, 2018
@Randy The strict mode prevents any cross-site usage for the cookie. In the lax mode, some top-level GET requests are allowed, such as clicking on a link to another website or sending a form with GET method. Source: https://symfony.com/blog/new-in-symfony-3-2-httpfoundation-improvements (Link in article)
Avatar of Krzysztof Wolniak
Krzysztof Wolniak said on Oct 1, 2018
I see some inconsistency, why in session attr name is "cookie_samesite" but in remember_me it's "samesite"?
Avatar of Javier Eguiluz
Javier Eguiluz Certified said on Oct 3, 2018
@Krzysztof that's right. The problem is that all previous session options were named "cookie_*" and all "remember me" options lacked that prefix ... so to keep consistency with the existing options, we kept that naming.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.