A new Symfony minor version release is a good opportunity to deprecate some features in preparation for their removal in the next major version. In Symfony 7.2, we've deprecated the following features that will be removed in Symfony 8.0.

Deprecated Session ID Config Options

Alexandre Daubois
Contributed by Alexandre Daubois in #57805

PHP defines two INI options called session.sid_length and session.sid_bits_per_character. The PHP maintainers recognized these options as problematic because developers could set session IDs that are too short (and therefore unsafe) or too long (which is unnecessary and consumes more CPU resources without significant security benefits). That's why, starting in PHP 8.4, they deprecated those options, and in Symfony 7.2, we've deprecated the corresponding options under framework.session.

Remove the Default Garbage Collector Probability

Nicolas Grekas
Contributed by Nicolas Grekas in #58165

When a session opens, PHP calls the garbage collector handler randomly based on the probability defined by session.gc_probability/session.gc_divisor (e.g., a 5/100 configuration means a 5% chance of invoking the garbage collector).

In Symfony, the session.gc_probability option had a default value of 1. This value overrode the corresponding PHP INI setting, but we encourage using the native PHP session features (including the default session folder). As a result, we've removed this default value and now rely on the PHP INI settings by default.

Deprecated More Session Config Options

Alexandre Daubois
Contributed by Alexandre Daubois in #58244

PHP 8.4 also deprecated other options related to sessions. Consequently, when using NativeSessionStorage, it's now deprecated to configure these options: referer_check, use_only_cookies, use_trans_sid, trans_sid_hosts, and trans_sid_tags.

Deprecated Empty User Identifiers

Antonio J. García Lagar
Contributed by Antonio J. García Lagar in #58007

In Symfony, some authenticators like FormLoginAuthenticator and JsonLoginAuthenticator already check if the provided user identifier is an empty string and throw an exception if it is.

We believe all authenticators should enforce this behavior, so we updated the following:

  • The getUserIdentifier() method of UserInterface must now return a non-empty string;
  • Passing an empty user identifier to the constructor of UserBadge is now deprecated.

Deprecated the !tagged Tag

Alexandre Daubois
Contributed by Alexandre Daubois in #57934

When working with service tags, the !tagged_iterator tag in YAML and XML files allows you to inject all services tagged with a specific tag:

1
2
3
4
5
6
7
8
# config/services.yaml
services:
    # ...

    App\HandlerCollection:
        # inject all services tagged with 'app.handler'
        arguments:
            - !tagged_iterator 'app.handler'

The !tagged_iterator tag replaced the !tagged tag, which was still supported in YAML/XML files. In Symfony 7.2, the !tagged tag is officially deprecated.

Published in #Living on the edge