Skip to content

Commit 0ef0c03

Browse files
xabbuhxabbuh
committed
minor #7891 Fix : the "secret" config parameter is not used anymore for CSRF tokens (ClementNotin)
This PR was merged into the 3.2 branch. Discussion ---------- Fix : the "secret" config parameter is not used anymore for CSRF tokens I previously commented on this in an old closed issue (that I suppose will remain ignored): symfony/symfony#14026 (comment) The _secret_ config parameter is not used anymore for CSRF tokens but this statement is still written in the current documentation https://symfony.com/doc/current/reference/configuration/framework.html#secret This is confusing and I would recommend to clarify this by removing the statement or describing that it was valid until a certain version. My understanding is that the CSRF token provider that used this parameter has been deprecated since v2.4 and removed in v3.0 according to https://github.com/symfony/symfony/blob/2.4/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php#L22 or http://api.symfony.com/2.3/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.html#method___construct Commits ------- 61e0bc7 The "secret" config parameter is not used anymore for CSRF tokens
2 parents 86b6696 + 61e0bc7 commit 0ef0c03

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

reference/configuration/framework.rst

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -131,10 +131,11 @@ used to add more entropy to security related operations. Its value should
131131
be a series of characters, numbers and symbols chosen randomly and the
132132
recommended length is around 32 characters.
133133

134-
In practice, Symfony uses this value for generating the
135-
:doc:`CSRF tokens </form/csrf_protection>`, for encrypting the cookies used
134+
In practice, Symfony uses this value for encrypting the cookies used
136135
in the :doc:`remember me functionality </security/remember_me>` and for
137136
creating signed URIs when using :ref:`ESI (Edge Side Includes) <edge-side-includes>`.
137+
Up to version 2.4, Symfony used this value for generating the
138+
:doc:`CSRF tokens </form/csrf_protection>`.
138139

139140
This option becomes the service container parameter named ``kernel.secret``,
140141
which you can use whenever the application needs an immutable random string

0 commit comments

Comments
 (0)