feature #8716 Secure and Lazy session changes (weaverryan)

weaverryan · weaverryan · commit 33d1288b7503 · 2017-11-27T12:51:09.000-05:00
This PR was squashed before being merged into the 3.4 branch (closes #8716). Discussion ---------- Secure and Lazy session changes Fixes #8562 I believe that, in user-land, the only change is that the `framework.session.use_strict_mode` is deprecated, and that we need to say that session data is no longer written unless the session data actually changed. Commits ------- 3e28070 Removing limit_metadata_writes 0a0bca2 Removing use_strict_mode docs, as this feature is deprecated in 3.4
diff --git a/_build/redirection_map b/_build/redirection_map
@@ -194,7 +194,7 @@
 /cookbook/psr7 /components/psr7
 /cookbook/request/index /request
 /cookbook/request/load_balancer_reverse_proxy /deployment/proxies
-/cookbook/request/mime_type /reference/configuration/framework#formats
+/cookbook/request/mime_type /reference/configuration/framework
 /cookbook/routing/conditions /routing/conditions
 /cookbook/routing/custom_route_loader /routing/custom_route_loader
 /cookbook/routing/debug /routing/debug
@@ -244,7 +244,8 @@
 /cookbook/service_container/shared /service_container/shared
 /cookbook/session/avoid_session_start /session/avoid_session_start
 /cookbook/session/index /session
-/cookbook/session/limit_metadata_writes /session/limit_metadata_writes
+/cookbook/session/limit_metadata_writes /reference/configuration/framework
+/session/limit_metadata_writes /reference/configuration/framework
 /cookbook/session/locale_sticky_session /session/locale_sticky_session
 /cookbook/session/php_bridge /session/php_bridge
 /cookbook/session/proxy_examples /session/proxy_examples
diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst
@@ -70,7 +70,6 @@ Configuration
     * `gc_divisor`_
     * `gc_probability`_
     * `gc_maxlifetime`_
-    * `use_strict_mode`_
     * `save_path`_
     * `metadata_update_threshold`_
 * `assets`_
@@ -845,17 +844,6 @@ This determines the number of seconds after which data will be seen as "garbage"
 and potentially cleaned up. Garbage collection may occur during session
 start and depends on `gc_divisor`_ and `gc_probability`_.
 
-use_strict_mode
-...............
-
-**type**: ``boolean`` **default**: ``false``
-
-This specifies whether the session module will use the strict session id mode.
-If this mode is enabled, the module does not accept uninitialized session IDs.
-If an uninitialized session ID is sent from browser, a new session ID is sent
-to browser. Applications are protected from session fixation via session
-adoption with strict mode.
-
 save_path
 .........
 
@@ -902,18 +890,19 @@ setting the value to ``null``:
             ),
         ));
 
+.. _reference-session-metadata-update-threshold:
+
 metadata_update_threshold
 .........................
 
 **type**: ``integer`` **default**: ``0``
 
-This is how many seconds to wait between two session metadata updates. It will
-also prevent the session handler to write if the session has not changed.
-
-.. seealso::
+This is how many seconds to wait between updating/writing the session metadata. This
+can be useful if, for some reason, you want to limit the frequency at which the
+session persists.
 
-    You can see an example of the usage of this in
-    :doc:`/session/limit_metadata_writes`.
+Starting in Symfony 3.4, session data is *only* written when the session data has
+changed. Previously, you needed to set this option to avoid that behavior.
 
 assets
 ~~~~~~
diff --git a/session/limit_metadata_writes.rst b/session/limit_metadata_writes.rst
