Contributed by
Ian Carroll
in #19143.
A new cookie attribute called same-site
allows applications to disable
third-party usage for any cookie. This helps protect users against CSRF attacks,
because without the cookies, attackers can't see you logged in to the websites
under attack.
In Symfony 3.2, the Cookie
class constructor added a ninth argument called
$sameSite
that can take any of the values defined in the Cookie::SAMESITE_LAX
and Cookie::SAMESITE_STRICT
constants:
1 2 3 | use Symfony\Component\HttpFoundation\Cookie;
$cookie = new Cookie(..., Cookie::SAMESITE_LAX);
|
The strict mode prevents any cross-site usage for the cookie. In the lax mode, some top-level GET requests are allowed, such as clicking on a link to another website or sending a form with GET method.
Contributed by
Fabien Potencier
in #18220
and #19143.
Previously, if you performed a 301
permanent redirect and didn't set a cache
header, the no-cache
header was added by Symfony. In Symfony 3.2 this
behavior has changed and now 301
redirects don't add the no-cache
header
automatically, but they maintain it if you set it explicitly.
Symfony 3.2 also fixes another inconsistency related to cache headers. When the
no-cache
header is present, Symfony now also adds the private
directive,
so the response contains no-cache, private
instead of just no-cache
.
isMethodIdempotent()
utility¶
Contributed by
Kévin Dunglas
in #19322.
HTTP safe methods are those that just retrieve resources but don't modify,
delete or create them (only GET
and HEAD
methods are considered safe).
The Request
class includes a isMethodSafe()
method to check whether the
given HTTP method is considered safe or not.
HTTP idempotent methods are those that can be used in a sequence of several
requests and get the same result without any other side-effect. For example
PUT
is idempotent because it creates a new resource everytime is called,
but POST
is not idempotent because it modifies a resource everytime is called.
In Symfony 3.2 we added a new method called isMethodIdempotent()
to check
whether the given HTTP method is idempotent or not.
What a Symfony developer should know about the framework: News, Jobs, Tweets, Events, Videos,...