Fix : the "secret" config parameter is not used anymore for CSRF tokens #7891
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I previously commented on this in an old closed issue (that I suppose will remain ignored): symfony/symfony#14026 (comment) The _secret_ config parameter is not used anymore for CSRF tokens but this statement is still written in the current documentation https://symfony.com/doc/current/reference/configuration/framework.html#secret This is confusing and I would recommend to clarify this by removing the statement or describing that it was valid until a certain version. My understanding is that the CSRF token provider that used this parameter has been deprecated since v2.4 and removed in v3.0 according to https://github.com/symfony/symfony/blob/2.4/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php#L22 or http://api.symfony.com/2.3/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.html#method___construct
xabbuh
reviewed
May 12, 2017
| in the :doc:`remember me functionality </security/remember_me>` and for | ||
| creating signed URIs when using :ref:`ESI (Edge Side Includes) <edge-side-includes>`. | ||
| Up to version 2.4, Symfony used this value for generating the | ||
| :doc:`CSRF tokens </form/csrf_protection>`. |
There was a problem hiding this comment.
I would just drop this sentence entirely.
There was a problem hiding this comment.
As you wish, you know better than me the best practices of Symfony's documentation
xabbuh
approved these changes
May 12, 2017
|
Thank you @ClementNotin. |
xabbuh
added a commit
that referenced
this pull request
May 17, 2017
…or CSRF tokens (ClementNotin) This PR was merged into the 3.2 branch. Discussion ---------- Fix : the "secret" config parameter is not used anymore for CSRF tokens I previously commented on this in an old closed issue (that I suppose will remain ignored): symfony/symfony#14026 (comment) The _secret_ config parameter is not used anymore for CSRF tokens but this statement is still written in the current documentation https://symfony.com/doc/current/reference/configuration/framework.html#secret This is confusing and I would recommend to clarify this by removing the statement or describing that it was valid until a certain version. My understanding is that the CSRF token provider that used this parameter has been deprecated since v2.4 and removed in v3.0 according to https://github.com/symfony/symfony/blob/2.4/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php#L22 or http://api.symfony.com/2.3/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.html#method___construct Commits ------- 61e0bc7 The "secret" config parameter is not used anymore for CSRF tokens
xabbuh
added a commit
that referenced
this pull request
May 17, 2017
weaverryan
added a commit
that referenced
this pull request
May 20, 2017
* 3.2: (39 commits) updating instance Avoid backticks in shell scripts Update optional_dependencies.rst Fix xml blocks pass only strings to loadUserByUsername() Fix Authenticator Class (getCredentials) example Documented addAnnotatedClassesToCompile() and the use of class patterns Added the picture that shows how GuardAuthenticationListener calls Authentication Guard methods. [#7205] minor tweak Simplified the use of transChoice() [#7875] minor tweaks Minor fix Minor changes Properly show all events and describe guard events [#7891] remove not needed sentence [#7773] fix line length Add helpful remarks on custom DataCollector Remove use of deprecated security.exception_listener.class parameter Update resources.rst Fix incoherent ut8mb4 collation in Doctrine setup ...
weaverryan
added a commit
that referenced
this pull request
May 20, 2017
* 3.4: (40 commits) Adding an article to explain the 3.3 changes, and how to upgrade updating instance Avoid backticks in shell scripts Update optional_dependencies.rst Fix xml blocks pass only strings to loadUserByUsername() Fix Authenticator Class (getCredentials) example Documented addAnnotatedClassesToCompile() and the use of class patterns Added the picture that shows how GuardAuthenticationListener calls Authentication Guard methods. [#7205] minor tweak Simplified the use of transChoice() [#7875] minor tweaks Minor fix Minor changes Properly show all events and describe guard events [#7891] remove not needed sentence [#7773] fix line length Add helpful remarks on custom DataCollector Remove use of deprecated security.exception_listener.class parameter Update resources.rst ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I previously commented on this in an old closed issue (that I suppose will remain ignored): symfony/symfony#14026 (comment)
The secret config parameter is not used anymore for CSRF tokens but this statement is still written in the current documentation https://symfony.com/doc/current/reference/configuration/framework.html#secret
This is confusing and I would recommend to clarify this by removing the statement or describing that it was valid until a certain version.
My understanding is that the CSRF token provider that used this parameter has been deprecated since v2.4 and removed in v3.0 according to https://github.com/symfony/symfony/blob/2.4/src/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php#L22 or http://api.symfony.com/2.3/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.html#method___construct