[Session] Cookie SameSite should be strict by default

pimcore · Jul 28, 2021 · 8aa0cac · 8aa0cac
1 parent 43b0963
commit 8aa0cac
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/bundles/CoreBundle/Resources/config/pimcore/default.yml b/bundles/CoreBundle/Resources/config/pimcore/default.yml
@@ -19,6 +19,7 @@ framework:
         # http://symfony.com/doc/current/reference/configuration/framework.html#handler-id
         # use the native PHP session mechanism
         handler_id:  null
+        cookie_samesite: 'strict'
     php_errors:
         log: true
     assets: ~

diff --git a/...evelopment_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md b/...evelopment_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
@@ -29,6 +29,14 @@ services:
             - Pimcore\Security\Encoder\PasswordFieldEncoder
             - ['password']
 ```
+- [Session] Default setting for `framework.session.cookie_samesite` changed to `strict`. 
+  For more information about the possible impact on your project, please have a look at the [docs of set-cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite). 
+  If you prefer to stay on the old session cookie behavior, please add the following to your project configuration: 
+```yaml
+framework:
+    session:
+        cookie_samesite: 'lax'
+```  
 
 ## 10.0.0