[HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0 #28447
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69d8d9a to
1535093
Compare
|
This PR now goes one step further and creates a path to change the default "secure" setting on |
774c256 to
f0a3863
Compare
DavidGarciaCat
approved these changes
Sep 11, 2018
There was a problem hiding this comment.
This PR makes sense to me, although I must say that this is the 1st PR that I review on this repository. Thanks, @nicolas-grekas to consider this update after discuss it on the issue.
fabpot
requested changes
Sep 12, 2018
| @@ -72,15 +73,19 @@ public static function fromString($cookie, $decode = false) | |||
| * @param int|string|\DateTimeInterface $expire The time the cookie expires | |||
| * @param string $path The path on the server in which the cookie will be available on | |||
| * @param string|null $domain The domain that the cookie is available to | |||
| * @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client | |||
| * @param bool|null $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client or null to set it later using {@see setSecureDefault()} | |||
There was a problem hiding this comment.
If think the most interesting bit to add is the auto-enabling feature (the setSecureDefault() is not that interesting if you ask me)
f0a3863 to
0ece7c3
Compare
ee1837f to
a94f569
Compare
rpkamp
reviewed
Sep 17, 2018
| if (null !== $this->sessionOptions) { | ||
| foreach ($this->sessionOptions as $k => $v) { | ||
| if (0 === strpos($k, 'cookie_')) { | ||
| $params[substr($k, 7)] = $v; |
a94f569 to
b186cbf
Compare
|
Tests added. Status: needs review |
|
Oh, and there is one more step now: samesite will turn to "lax" by default in Symfony 5! |
b186cbf to
42a7546
Compare
…ull + plan to make it and samesite=lax the defaults in 5.0
42a7546 to
9493cfd
Compare
fabpot
approved these changes
Sep 26, 2018
|
Thank you @nicolas-grekas. |
fabpot
added a commit
that referenced
this pull request
Sep 26, 2018
… them $secure=null + plan to make it and samesite=lax the defaults in 5.0 (nicolas-grekas) This PR was merged into the 4.2-dev branch. Discussion ---------- [HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0 | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #26731 | License | MIT | Doc PR | - By creating Cookie instances using `null` for the `$secure` argument, this PR allows making cookies inherit their "secure" attribute from the request. This PR also adds a forward to make $secure=null and samesite=lax the defaults in Symfony 5.0: - either define all constructor's arguments explicitly - or use the new `Cookie::create()` factory Commits ------- 9493cfd [HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0
This was referenced Nov 3, 2018
Closed
Merged
chalasr
added a commit
that referenced
this pull request
Sep 10, 2023
…on (derrabus) This PR was merged into the 6.4 branch. Discussion ---------- [PsrHttpMessageBridge] Remove `Cookie::create()` detection | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | N/A | License | MIT | Doc PR | N/A This method exists since #28447 (Symfony 4.2) Commits ------- 94e75e6 [PsrHttpMessageBridge] Remove Cookie::create() detection
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By creating Cookie instances using
nullfor the$secureargument, this PR allows making cookies inherit their "secure" attribute from the request.This PR also adds a forward to make $secure=null and samesite=lax the defaults in Symfony 5.0:
Cookie::create()factory