Skip to content

Add documentation on cookie_samesite setting in FrameworkBundle #10202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add documentation on cookie_samesite setting in FrameworkBundle #10202

wants to merge 1 commit into from

Conversation

rpkamp
Copy link
Contributor

@rpkamp rpkamp commented Aug 20, 2018

Documentation supporting symfony/symfony#28168

@rpkamp rpkamp mentioned this pull request Aug 20, 2018
Merged
@xabbuh xabbuh added the Waiting Code Merge Docs for features pending to be merged label Aug 21, 2018
fabpot
fabpot reviewed Sep 4, 2018
View reviewed changes
components/http_foundation/session_configuration.rst
~~~~~~~~~~~~~~~~~~~~~~~

.. versionadded:: 4.2
  The option to use SameSite cookies for session was introduced in 4.2.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for sessions?

components/http_foundation/session_configuration.rst
.. versionadded:: 4.2
  The option to use SameSite cookies for session was introduced in 4.2.

SameSite cookies are a measure to protect against Cross Site Forgery Request (CSRF) attacks by preventing the cookies to be sent to the server if a request was not originated from the domain the cookies are for.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Text should be at around 80 chars

symfony-splitter pushed a commit to symfony/framework-bundle that referenced this pull request Sep 4, 2018
@fabpot
feature #28168 Add SameSite cookies to FrameWorkBundle (rpkamp)
915d881 
This PR was merged into the 4.2-dev branch.

Discussion
----------

Add SameSite cookies to FrameWorkBundle

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes, and added to changelog https://github.com/symfony/symfony/pull/28168/files#diff-276f5b13978c2ce3f555b9603f44801aR21
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #27631
| License       | MIT
| Doc PR        | symfony/symfony-docs#10202

Uses `session.cookie_samesite` for PHP >= 7.3. For PHP < 7.3 it first
does a session_start(), find the emitted header, changes it, and emits
it again with the value for SameSite added.

I also tried it in a minimal Symfony 4.1 app, and works there too:

![screenshot from 2018-08-08 21-39-10](https://user-images.githubusercontent.com/1059790/43864708-b7437978-9b60-11e8-81dd-b41f1a5afb52.png)

Commits
-------

4091feb693 Add SameSite cookies to FrameWorkBundle
fabpot added a commit to symfony/symfony that referenced this pull request Sep 4, 2018
@fabpot
feature #28168 Add SameSite cookies to FrameWorkBundle (rpkamp)
7be3bb2 
This PR was merged into the 4.2-dev branch.

Discussion
----------

Add SameSite cookies to FrameWorkBundle

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes, and added to changelog https://github.com/symfony/symfony/pull/28168/files#diff-276f5b13978c2ce3f555b9603f44801aR21
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #27631
| License       | MIT
| Doc PR        | symfony/symfony-docs#10202

Uses `session.cookie_samesite` for PHP >= 7.3. For PHP < 7.3 it first
does a session_start(), find the emitted header, changes it, and emits
it again with the value for SameSite added.

I also tried it in a minimal Symfony 4.1 app, and works there too:

![screenshot from 2018-08-08 21-39-10](https://user-images.githubusercontent.com/1059790/43864708-b7437978-9b60-11e8-81dd-b41f1a5afb52.png)

Commits
-------

4091feb Add SameSite cookies to FrameWorkBundle
@xabbuh xabbuh removed the Waiting Code Merge Docs for features pending to be merged label Sep 4, 2018
@xabbuh xabbuh added this to the 4.2 milestone Sep 4, 2018
@javiereguiluz javiereguiluz changed the title [WCM] Add documentation on cookie_samesite setting in FrameworkBundle Add documentation on cookie_samesite setting in FrameworkBundle Sep 5, 2018
@javiereguiluz javiereguiluz mentioned this pull request Sep 5, 2018
Merged
@javiereguiluz
Copy link
Member

@rpkamp thanks a lot for contributing this feature and its docs. It's a really important feature because PHP 7.3 is adding support for it as well as all modern browsers.

Sadly, this pull request needed some important changes ... so I opened #10258 to replace it. The main issue is that this is a config option of Symfony full-stack apps ... so we can't explain it in the components doc (I know, it may be confusing ... we're trying to change this).

Also, given that it's a very recent feature, we decided to explain it a bit more so readers can make a better choice for this option. In any case, thanks again for your contribution!

javiereguiluz added a commit that referenced this pull request Sep 5, 2018
@javiereguiluz
minor #10258 Added docs for cookie_samesite option (javiereguiluz)
5e3eb41 
This PR was merged into the master branch.

Discussion
----------

Added docs for cookie_samesite option

This replaces #10202.

Commits
-------

4763b7b Added docs for cookie_samesite option
@rpkamp
Copy link
Contributor Author

rpkamp commented Sep 5, 2018

No problem @javiereguiluz. Thanks for taking this on 😄

@rpkamp rpkamp deleted the session-samesite branch September 5, 2018 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot left review comments

Assignees
No one assigned
Labels
Status: Needs Review
Projects
None yet
Milestone
4.2
Development

Successfully merging this pull request may close these issues.
5 participants
@rpkamp @javiereguiluz @fabpot @xabbuh @carsonbot