You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
minor #14999 Update the default cookie_secure value in framework.rst (tamcy)
This PR was merged into the 5.2 branch.
Discussion
----------
Update the default `cookie_secure` value in framework.rst
Auto-secure cookies was introduced in Symfony 4.2. In Symfony 4.4, according to the Framework Configuration Reference, [the default value for `cookie_secure` is 'auto'](https://symfony.com/doc/4.4/reference/configuration/framework.html#cookie-secure). "Auto" means that the framework will set the `cookie_secure` flag to `true` when the traffic is sent through HTTPS, or `false` otherwise.
Since 5.0, [the value for this "auto" behavior is changed to `null`](https://symfony.com/doc/5.0/reference/configuration/framework.html#cookie-secure) according to the Framework Configuration Reference documentation (the doc change happened somewhere in Jan 2020, I could not pinpoint the exact commit that caused this though). That said, I can still find "auto" being mentioned in [the session documentation](https://symfony.com/doc/current/session.html). It is still the default configuration value of a new Symfony 5.2 project. Also, in the [Symfony\Bundle\FrameworkBundle\DependencyInjection\Configuration class](https://github.com/symfony/symfony/blob/f50e6afd7dd90e5a09e3e2ef81a2b10a8185e812/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php#L626), I can see that "auto" (but not null) being one of the allowed values.
So, I believe the behavior in the framework hasn't been changed, and the documentation change in `framework.rst` was not an intentional one. This PR updates the current `framework.rst` with the correct value.
Commits
-------
2de6e69 Update the default `cookie_secure` value
0 commit comments