Skip to content

Commit 387ebc0

Browse files
weaverryanweaverryan
committed
feature #5109 Improved the explanation about the "secret" configuration parameter (javiereguiluz)
This PR was merged into the 2.3 branch. Discussion ---------- Improved the explanation about the "secret" configuration parameter | Q | A | ------------- | --- | Doc fix? | no | New docs? | yes | Applies to | all | Fixed tickets | - Commits ------- ac3a74d Minor rewording db5db0f Fixed a minor grammar issue 74841e6 Minor rewording 4bbd84a Fixed some typos b13250d Improved the explanation about the "secret" configuration parameter
2 parents cac0a9c + ac3a74d commit 387ebc0

File tree

1 file changed

+18
-4
lines changed

1 file changed

+18
-4
lines changed

reference/configuration/framework.rst

+18-4
Original file line numberDiff line numberDiff line change
@@ -60,10 +60,24 @@ secret
6060

6161
**type**: ``string`` **required**
6262

63-
This is a string that should be unique to your application. In practice,
64-
it's used for generating the CSRF tokens, but it could be used in any other
65-
context where having a unique string is useful. It becomes the service container
66-
parameter named ``kernel.secret``.
63+
This is a string that should be unique to your application and it's commonly used
64+
to add more entropy to security related operations. Its value should be a series of
65+
characters, numbers and symbols chosen randomly and the recommended length is
66+
around 32 characters.
67+
68+
In practice, Symfony uses this value for generating the :ref:`CSRF tokens <forms-csrf>`,
69+
for encrypting the cookies used in the :doc:`remember me functionality </cookbook/security/remember_me>`
70+
and for creating signed URIs when using :ref:`ESI (Edge Side Includes) <edge-side-includes>` .
71+
72+
This option becomes the service container parameter named ``kernel.secret``,
73+
which you can use whenever the application needs an immutable random string
74+
to add more entropy.
75+
76+
As with any other security-related parameter, it is a good practice to change this
77+
value from time to time. However, keep in mind that changing this value will
78+
invalidate all signed URIs and Remember Me cookies. That's why, after changing
79+
this value, you should regenerate the application cache and log out all the
80+
application users.
6781

6882
.. _configuration-framework-http_method_override:
6983

0 commit comments

Comments
 (0)