Symfony News

New in Symfony 4.2: Auto-secure cookies

Contributed by
Nicolas Grekas
in #28447 and #28446.

In PHP, setting the secure parameter to true in the setcookie() or session_set_cookie_params() functions make cookies to be sent only when the connection is secure and uses HTTPS.

In Symfony applications you can control this behavior with the framework.session.cookie_secure option, which is a boolean that defaults to false. In order to improve the application security, in Symfony 4.2 we made cookies secure automatically.

The new default value of the cookie_secure option is null, which makes cookies secure when the request is using HTTPS and doesn't modify them when the request uses HTTP. The new behavior is a good balance between making your app "safe by default" and not breaking any existing app.

Related to this, the cookie used in the Remember Me feature now inherits the default config used in the framework.session.cookie_* options, so the new auto-secure behavior also applies to it.

In Symfony 5.0, to be released in November 2019, the default value of the $secure argument of the Cookie class constructor will change from false to null. In addition, the default value of the $samesite argument will change from null to lax to use the new SameSite cookie configuration.