2d4813b028
## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
38 lines
1.1 KiB
Plaintext
38 lines
1.1 KiB
Plaintext
=== How to fix it in Symfony
|
|
|
|
=== Code examples
|
|
|
|
In a Symfony Security's context, session fixation protection can be disabled with the value ``++none++`` for the ``++session_fixation_strategy++`` attribute.
|
|
|
|
Session fixation protection is enabled by default in Symfony. It can be explicitly enabled with the values ``++migrate++`` and ``++invalidate++`` for the ``++session_fixation_strategy++`` attribute.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
namespace Symfony\Component\DependencyInjection\Loader\Configurator;
|
|
|
|
return static function (ContainerConfigurator $container) {
|
|
$container->extension('security', [
|
|
'session_fixation_strategy' => 'none', // Noncompliant
|
|
]);
|
|
};
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
namespace Symfony\Component\DependencyInjection\Loader\Configurator;
|
|
|
|
return static function (ContainerConfigurator $container) {
|
|
$container->extension('security', [
|
|
'session_fixation_strategy' => 'migrate',
|
|
]);
|
|
};
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/new-session.adoc[]
|