Rationale

The secret parameter is one of Symfony's most misunderstood configuration parameters. In the documentation you can read its explanation:

This is a string that should be unique to your application. In practice, it's used for generating the CSRF tokens, but it could be used in any other context where having a unique string is useful. It becomes the service container parameter named kernel.secret.

However:

• It seems that secret is no longer used to generate CSRF tokens.
• We have never explained how to generate and maintain this configuration option: how long should it be? which kind of characters should contain? should I change it frequently? should I custody it as if it were a password? what would happen if some malicious user gets my secret?

I've tried to look for uses of the secret configuration parameter and I've found almost nothing.

First use: in the FrameworkBundle DI extension you can find the following:

if (isset($config['secret'])) {
    $container->setParameter('kernel.secret', $config['secret']);
}

Second use: in the same FrameworkBundle there is one service that uses it:

<service id="uri_signer" class="%uri_signer.class%">
    <argument>%kernel.secret%</argument>
</service>

The alternatives

If you agree that this configuration parameter is no longer useful, we could deprecate this option in 2.7 and remove it entirely in 3.0.

If you still think that this option could be of some value, we could remove the secret configuration option and generate the kernel.secret parameter automatically by creating a random string in the FramewokBundle DI extension.