symfony

Archived

forked from https://github.com/symfony/symfony

This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.

Go to file

Fabien Potencier f350f532b7 bug #35605 [HttpFoundation][FrameworkBundle] fix support for samesite in session cookies (fabpot) This PR was merged into the 3.4 branch. Discussion ---------- [HttpFoundation][FrameworkBundle] fix support for samesite in session cookies \| Q \| A \| ------------- \| --- \| Branch? \| 3.4 \| Bug fix? \| yes \| New feature? \| no \| Deprecations? \| no \| Tickets \| Fix #35520 \| License \| MIT \| Doc PR \| - This PR cherry-picks #28168 on 3.4, with a rationale given by @ConneXNL in https://github.com/symfony/symfony/issues/35520#issuecomment-582296847: > I hope I am wrong but I see the impact of not making any changes to Symfony 3.4 will have a tons of sites break if we cannot set the cookie's samesite setting (in the framework session and remember me) before Chrome pushes this update. > > Very soon all existing cookies are no longer going to work with cross-domains if you do not specify 'None' for the cookie_samesite. All external APIs that use cookies and are running SF 3.4 will break and devs will have no quick solution to fix their auth process. > > If you are using PHP 7.4, yes you can most likely use ini_set to workaround this issue. > > However, ini_set('cookie_samesite') does not work in PHP Version <= 7.2. I am not even sure PHP 7.3 supports the value 'None' as php.watch/articles/PHP-Samesite-cookies says it has support for 'Lax' and 'Scrict'. > > This effectively means SF 3.4 on PHP 7.2 (or PHP 7.3) is no longer supported for cross domain APIs with cookies. People would have to either update PHP to 7.4 (if they even can?) or go to Symfony 4 (with a dead live site is going to be a complete disaster). > > Since the impact of the change that chrome is about to roll out is so fundamentally changing our way to set cookies, I consider configuring samesite configuration in the framework an absolute requirement, not a feature, especially since SF 3.4 is still supported. > > What am i missing? > > Note: SF3 HTTPFoundation already supports the new cookie settings, it's just the framework that doesn't support it. Our BC policy embeds the promise that one should be able to keep the same app on a newest infrastructure (eg that's why supporting a PHP version is a bug fix). I think we can consider this for browsers here also. WDYT? Commits ------- `f46e6cb8a0` [HttpFoundation][FrameworkBundle] fix support for samesite in session cookies		2020-02-07 08:56:52 +01:00
.github	Update PR template	2020-02-01 11:00:56 +01:00
src/Symfony	bug #35605 [HttpFoundation][FrameworkBundle] fix support for samesite in session cookies (fabpot)	2020-02-07 08:56:52 +01:00
.appveyor.yml	[CI] fix building local packages	2019-10-15 14:09:56 +02:00
.editorconfig	Update .editorconfig	2018-09-06 16:22:56 +02:00
.gitignore	Run the phpunit-bridge from a PR	2019-08-02 17:46:19 +02:00
.php_cs.dist	Simplify PHP CS Fixer configuration	2019-11-03 15:37:51 +01:00
.travis.yml	Fix testing with mongodb	2020-01-23 11:22:55 +01:00
CHANGELOG-3.0.md	Merge branch '2.8' into 3.1	2016-08-05 10:37:39 +02:00
CHANGELOG-3.1.md	updated CHANGELOG for 3.1.9	2017-01-12 12:43:31 -08:00
CHANGELOG-3.2.md	use behavior instead of behaviour	2019-03-25 08:48:46 +01:00
CHANGELOG-3.3.md	use behavior instead of behaviour	2019-03-25 08:48:46 +01:00
CHANGELOG-3.4.md	updated CHANGELOG for 3.4.37	2020-01-21 13:29:39 +01:00
CODE_OF_CONDUCT.md	Added the Code of Conduct file	2018-10-10 03:13:30 -07:00
composer.json	Add conflict rule for Monolog 2.	2019-11-17 14:23:03 +01:00
CONTRIBUTING.md	Mention the community review guide	2016-12-18 22:02:35 +01:00
CONTRIBUTORS.md	update CONTRIBUTORS for 3.4.37	2020-01-21 13:29:48 +01:00
LICENSE	Update year in license files	2020-01-01 12:03:25 +01:00
link	Allow copy instead of symlink for ./link script	2019-12-02 15:51:37 +01:00
phpunit	Bump phpunit-bridge cache	2020-01-31 10:55:33 +01:00
phpunit.xml.dist	Merge branch '2.8' into 3.4	2018-11-11 20:48:54 +01:00
README.md	Improve Symfony description	2019-11-24 19:17:45 +01:00
UPGRADE-3.0.md	Fixed markdown file	2019-08-13 19:39:09 +02:00
UPGRADE-3.1.md	[Serializer] Remove AbstractObjectNormalizer::isAttributeToNormalize	2016-12-08 16:02:32 +01:00
UPGRADE-3.2.md	Merge branch '2.8' into 3.4	2018-02-22 13:28:57 +01:00
UPGRADE-3.3.md	Merge branch '3.3' into 3.4	2017-11-30 15:59:23 +01:00
UPGRADE-3.4.md	Merge branch '2.8' into 3.4	2018-05-31 12:13:22 +02:00
UPGRADE-4.0.md	Link the right file depending on the new version	2019-11-16 09:59:33 +01:00

README.md

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony is used by thousands of web applications (including BlaBlaCar.com and Spotify.com) and most of the popular PHP projects (including Drupal and Magento).

Installation

Install Symfony with Composer (see requirements details).
Symfony follows the semantic versioning strictly, publishes "Long Term Support" (LTS) versions and has a release process that is predictable and business-friendly.

Documentation

Read the Getting Started guide if you are new to Symfony.
Try the Symfony Demo application to learn Symfony in practice.
Master Symfony with the Guides and Tutorials, the Components docs and the Best Practices reference.

Community

Join the Symfony Community and meet other members at the Symfony events.
Get Symfony support on Stack Overflow, Slack, IRC, etc.
Follow us on GitHub, Twitter and Facebook.
Read our Code of Conduct and meet the CARE Team

Contributing

Symfony is an Open Source, community-driven project with thousands of contributors. Join them contributing code or contributing documentation.

Security Issues

If you discover a security vulnerability within Symfony, please follow our disclosure procedure.

About Us

Symfony development is sponsored by SensioLabs, led by the Symfony Core Team and supported by Symfony contributors.