Skip to content

Commit

Permalink
Disable SameSite setting for session cookies
Browse files Browse the repository at this point in the history 
The php session cookie should not have the samesite lax or strict
setting. As this would prevent the session cookie from being present
when the remote azure mfa idp sends back a SAML response.

So it is set to the for now advisable 'none' setting. Combined with the
secure setting, this will be accepted by modern browsers.

See:
https://www.pivotaltracker.com/story/show/171721565
symfony/symfony#31475
  • Loading branch information
@MKodde
MKodde committed Mar 10, 2020
1 parent 58554e6 commit 6000af5
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion config/packages/framework.yaml
View file
Expand Up @@ -8,7 +8,9 @@ framework:
session:
handler_id: null
cookie_secure: auto
cookie_samesite: lax
# SameSite is set to none. As we must allow receiving a session cookie from the (trusted)
# remote Azure MFA IdP's
cookie_samesite: 'none'
assets: ~
#esi: true
fragments: true
Expand Down

0 comments on commit 6000af5

Please sign in to comment.