Flag all cookies as Secure #26731
Comments
|
It's a new feature so it should go in master. However I do think it should also deprecate the session cookie setting as I'm not sure there would be a reason to just flag the session cookie and not others, unless you are on multiple domains, which should be configurable anyway in this feature. |
|
For log in session, this was not a problem, as it was discussed with @xabbuh If you believe this could break previous settings when moving to newer versions, then I would suggest thinking about this with another parameter, as I was suggesting. My point is that seems useless to ask me if I want to secure my Session Cookie but any other cookie is set by default with no security. Maybe this can be included on next major release but seems useless to create an Event Listener to check all cookies on
Do you think this might be a problem? |
|
I do, because that would make the setting global. I.e. bundles wouldn't be able to know what is the default. That's the exact same issue as with PHP ini settings. |
|
See #28447 |
|
Thanks, @nicolas-grekas - I'll follow the progress of that PR with high expectations! |
… them $secure=null + plan to make it and samesite=lax the defaults in 5.0 (nicolas-grekas) This PR was merged into the 4.2-dev branch. Discussion ---------- [HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0 | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #26731 | License | MIT | Doc PR | - By creating Cookie instances using `null` for the `$secure` argument, this PR allows making cookies inherit their "secure" attribute from the request. This PR also adds a forward to make $secure=null and samesite=lax the defaults in Symfony 5.0: - either define all constructor's arguments explicitly - or use the new `Cookie::create()` factory Commits ------- 9493cfd [HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0
As per @xabbuh 's suggestion on this other issue #26667 (comment) I believe that it's a problem when I set the flag for
SecureSession Cookies but it doesn't affect the rest of the cookies that I have.I believe that two global parameters to flag all Cookies as
Secureas well asHttpOnlyautomatically (not just the Session Cookie) could provide a great enhancement to the framework, due it might help developers to increase the security of their projects on an easier way than the current case, where I need to add a newKernel.ResponseListenerto check for all existing cookies and re-set all of them with Secure flag in the event that they aren't.Although I could use an update like this on several projects starting from Symfony 2.8 and ending on Symfony 4.x, I don't know if this is something that could be implemented on all these Symfony versions.
Happy to discuss!
The text was updated successfully, but these errors were encountered: