Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[FrameworkBundle] Change the default value of cookie_httponly #15372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 1, 2015
Merged

[FrameworkBundle] Change the default value of cookie_httponly #15372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 22 additions & 8 deletions UPGRADE-2.8.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,32 +8,32 @@ Form
option together with the `Valid` constraint instead. Contrary to
"cascade_validation", "constraints" must be set on the respective child forms,
not the parent form.

Before:

```php
$form = $this->createForm('form', $article, array('cascade_validation' => true))
->add('author', new AuthorType())
->getForm();
```

After:

```php
use Symfony\Component\Validator\Constraints\Valid;

$form = $this->createForm('form', $article)
->add('author', new AuthorType(), array(
'constraints' => new Valid(),
))
->getForm();
```

Alternatively, you can set the `Valid` constraint in the model itself:

```php
use Symfony\Component\Validator\Constraints as Assert;

class Article
{
/**
Expand Down Expand Up @@ -136,3 +136,17 @@ DependencyInjection
<service id="foo" class="stdClass" shared="false" />
</services>
```

FrameworkBundle
---------------

* The default value of the parameter `session`.`cookie_httponly` is now `true`.
It prevents scripting languages, such as JavaScript to access the cookie,
which help to reduce identity theft through XSS attacks. If your
application needs to access the session cookie, override this parameter:

```yaml
framework:
session:
cookie_httponly: false
```
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,7 +340,7 @@ private function addSessionSection(ArrayNodeDefinition $rootNode)
->scalarNode('cookie_path')->end()
->scalarNode('cookie_domain')->end()
->booleanNode('cookie_secure')->end()
->booleanNode('cookie_httponly')->end()
->booleanNode('cookie_httponly')->defaultTrue()->end()
->scalarNode('gc_divisor')->end()
->scalarNode('gc_probability')->defaultValue(1)->end()
->scalarNode('gc_maxlifetime')->end()
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
'cookie_path' => '/',
'cookie_domain' => 'example.com',
'cookie_secure' => true,
'cookie_httponly' => true,
'cookie_httponly' => false,
'gc_maxlifetime' => 90000,
'gc_divisor' => 108,
'gc_probability' => 1,
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
<framework:esi enabled="true" />
<framework:profiler only-exceptions="true" enabled="false" />
<framework:router resource="%kernel.root_dir%/config/routing.xml" type="xml" />
<framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="true" save-path="/path/to/sessions" />
<framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="false" save-path="/path/to/sessions" />
<framework:request>
<framework:format name="csv">
<framework:mime-type>text/csv</framework:mime-type>
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ framework:
cookie_path: /
cookie_domain: example.com
cookie_secure: true
cookie_httponly: true
cookie_httponly: false
gc_probability: 1
gc_divisor: 108
gc_maxlifetime: 90000
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ public function testSession()
$this->assertEquals('/', $options['cookie_path']);
$this->assertEquals('example.com', $options['cookie_domain']);
$this->assertTrue($options['cookie_secure']);
$this->assertTrue($options['cookie_httponly']);
$this->assertFalse($options['cookie_httponly']);
$this->assertEquals(108, $options['gc_divisor']);
$this->assertEquals(1, $options['gc_probability']);
$this->assertEquals(90000, $options['gc_maxlifetime']);
Expand Down