How to properly set HttpOnly cookies for sessions in symfony4?

A

Alexander Afanasiev2019-01-30 08:38:39

symfony

Alexander Afanasiev, 2019-01-30 08:38:39

Hello, in symfony4 framework.yaml there is this setting:

session:
        handler_id: ~
        cookie_secure: auto
        cookie_samesite: lax
        cookie_httponly: true # <--- вот эта

As an experiment, in index.php I start the session:

$session = new Session();
$session->start();

I open the page in chrome, I look at the cookies through document.cookie, PHPSESSID is visible.
Is that how it should be? what am I doing wrong? Or is it a Symphony bug? Or an outdated settings file that is no longer used?
And the second question:
In the controller, you can get a session instance in the following ways:
1) $session = $request->getSession();
2) via SessionInterface $session
3) $session = new Session();
I wonder if it is possible to do it in a third way, especially in classes, and not in controllers, so as not to pass the $session parameter to each class, using, for example, the user's login.
The third method works, but it confuses that in the documentation, in the examples, the session is received only by the first two methods.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander, 2019-01-30
@XanderEVG

1) cookie_httponly is true by default. You don't need to add it to the config.
2) Everything works for me on version 4.2. PHPSESSID is created with http parameter and is not accessible via js. So the problem is local, and someone can help you lie.