New in Symfony 4.2: SameSite cookie configuration
Symfony added support for SameSite cookie attributes in Symfony 3.2 (November 2016). The SameSite attribute prevents the browser from sending cookies along with cross-site requests. In practice, this mitigates the risk of cross-origin information leakage and provides some protection against CSRF attacks.
In Symfony 4.2 we've made it easier to set this attribute in several parts of the framework.
SameSite attribute in "Remember Me"¶
Contributed by
Kévin Dunglas
in #27976.
The Remember Me feature now defines a new config option called samesite
to set the value of this attribute in the cookie used by this feature:
1 2 3 4 5 6 7 8 9 10 11 12 | # config/packages/security.yaml
security:
# ...
firewalls:
main:
# ...
remember_me:
# ...
# possible values: 'strict', 'lax' and null
samesite: 'strict'
|
SameSite attribute in sessions¶
Contributed by
Remon van de Kamp
in #28168.
Similarly, the cookies used to manage user sessions now define a new config
option called cookie_samesite
with the same possible values (strict
,
lax
and null
):
1 2 3 4 5 6 | # config/packages/framework.yaml
framework:
# ...
session:
# ...
cookie_samesite: 'strict'
|
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
New in Symfony 4.2: SameSite cookie configuration symfony.com/blog/new-in-symfony-4-2-samesite-cookie-configuration
Tweet thisComments
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
Randy Tellez Galan said on Sep 26, 2018 at 14:14 #1