File tree Expand file tree Collapse file tree 6 files changed +17
-5
lines changed
src/Symfony/Bundle/FrameworkBundle
Tests/DependencyInjection Expand file tree Collapse file tree 6 files changed +17
-5
lines changed Original file line number Diff line number Diff line change @@ -468,6 +468,18 @@ UPGRADE FROM 2.x to 3.0
468468 interface.
469469 The `security.csrf.token_manager` should be used instead.
470470
471+ * The default value of the parameter `session`.`cookie_httponly` is now `true`.
472+ It prevents scripting languages, such as JavaScript to access the cookie,
473+ which help to reduce identity theft through XSS attacks. If your
474+ application need to access the session's cookie override this parameter :
475+
476+ ` ` ` yaml
477+ framework:
478+ session:
479+ cookie_httponly: false
480+ ` ` `
481+
482+
471483# ## HttpKernel
472484
473485 * The `Symfony\Component\HttpKernel\Log\LoggerInterface` has been removed in
Original file line number Diff line number Diff line change @@ -340,7 +340,7 @@ private function addSessionSection(ArrayNodeDefinition $rootNode)
340340 ->scalarNode ('cookie_path ' )->end ()
341341 ->scalarNode ('cookie_domain ' )->end ()
342342 ->booleanNode ('cookie_secure ' )->end ()
343- ->booleanNode ('cookie_httponly ' )->end ()
343+ ->booleanNode ('cookie_httponly ' )->defaultValue ( true )-> end ()
344344 ->scalarNode ('gc_divisor ' )->end ()
345345 ->scalarNode ('gc_probability ' )->defaultValue (1 )->end ()
346346 ->scalarNode ('gc_maxlifetime ' )->end ()
Original file line number Diff line number Diff line change 3232 'cookie_path ' => '/ ' ,
3333 'cookie_domain ' => 'example.com ' ,
3434 'cookie_secure ' => true ,
35- 'cookie_httponly ' => true ,
35+ 'cookie_httponly ' => false ,
3636 'gc_maxlifetime ' => 90000 ,
3737 'gc_divisor ' => 108 ,
3838 'gc_probability ' => 1 ,
Original file line number Diff line number Diff line change 1414 <framework : esi enabled =" true"
1515 <framework : profiler only-exceptions =" true" enabled =" false"
1616 <framework : router resource =" %kernel.root_dir%/config/routing.xml" type =" xml"
17- <framework : session gc-maxlifetime =" 90000" gc-probability =" 1" gc-divisor =" 108" storage-id =" session.storage.native" handler-id =" session.handler.native_file" name =" _SYMFONY" cookie-lifetime =" 86400" cookie-path =" /" cookie-domain =" example.com" cookie-secure =" true" cookie-httponly =" true " save-path =" /path/to/sessions"
17+ <framework : session gc-maxlifetime =" 90000" gc-probability =" 1" gc-divisor =" 108" storage-id =" session.storage.native" handler-id =" session.handler.native_file" name =" _SYMFONY" cookie-lifetime =" 86400" cookie-path =" /" cookie-domain =" example.com" cookie-secure =" true" cookie-httponly =" false " save-path =" /path/to/sessions"
1818 <framework : request >
1919 <framework : format name =" csv"
2020 <framework : mime-type >text/csv</framework : mime-type >
Original file line number Diff line number Diff line change @@ -24,7 +24,7 @@ framework:
2424 cookie_path : /
2525 cookie_domain : example.com
2626 cookie_secure : true
27- cookie_httponly : true
27+ cookie_httponly : false
2828 gc_probability : 1
2929 gc_divisor : 108
3030 gc_maxlifetime : 90000
Original file line number Diff line number Diff line change @@ -149,7 +149,7 @@ public function testSession()
149149 $ this assertEquals ('/ ' , $ options'cookie_path ' ]);
150150 $ this assertEquals ('example.com ' , $ options'cookie_domain ' ]);
151151 $ this assertTrue ($ options'cookie_secure ' ]);
152- $ this assertTrue ($ options'cookie_httponly ' ]);
152+ $ this assertFalse ($ options'cookie_httponly ' ]);
153153 $ this assertEquals (108 , $ options'gc_divisor ' ]);
154154 $ this assertEquals (1 , $ options'gc_probability ' ]);
155155 $ this assertEquals (90000 , $ options'gc_maxlifetime ' ]);
You can’t perform that action at this time.
0 commit comments