October 12, 2018 Javier Eguiluz

In PHP, setting the secure parameter to true in the setcookie() or session_set_cookie_params() functions make cookies to be sent only when the connection is secure and uses HTTPS.

In Symfony applications you can control this behavior with the framework.session.cookie_secure option, which is a boolean that defaults to false . In order to improve the application security, in Symfony 4.2 we made cookies secure automatically.

The new default value of the cookie_secure option is null , which makes cookies secure when the request is using HTTPS and doesn't modify them when the request uses HTTP. The new behavior is a good balance between making your app "safe by default" and not breaking any existing app.

Related to this, the cookie used in the Remember Me feature now inherits the default config used in the framework.session.cookie_* options, so the new auto-secure behavior also applies to it.