From b13250db5f5e47be1ada6c70bde690bb8ee9671c Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 24 Mar 2015 11:14:24 +0100 Subject: [PATCH 1/5] Improved the explanation about the "secret" configuration parameter --- reference/configuration/framework.rst | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 4cdf689758e..1877fb51a78 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -60,10 +60,24 @@ secret **type**: ``string`` **required** -This is a string that should be unique to your application. In practice, -it's used for generating the CSRF tokens, but it could be used in any other -context where having a unique string is useful. It becomes the service container -parameter named ``kernel.secret``. +This is a string that should be unique to your application and it's commonly used +to add more entropy to security related operations. Its value should be series of +characters, numbers and symbols choosen randomly. It's recommended length is +around 32 characters. + +In practice, Symfony uses this value for generating the :ref:`CSRF tokens `, +for encrypting the cookies used in the :doc:`remember me functionality ` +and for creating signed URIs when using :ref:`ESI (Edge Side Includes) ` . + +This option becomes the service container parameter named ``kernel.secret``, +which you can use whenever the application needs a immutable random string +to add more entropy. + +As any other security-related parameter, is a good practice to change this +value from time to time. However, keep in mind that changing this value will +invalidate all signed URIs and Remember Me cookies. That's why, after changing +this value, you should regenerate the application cache, delete the HTTP Cache +related cache and log out all the application users. .. _configuration-framework-http_method_override: From 4bbd84abf91c1012e5bfb6fc088cff9457abe39f Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 24 Mar 2015 16:25:14 +0100 Subject: [PATCH 2/5] Fixed some typos --- reference/configuration/framework.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 1877fb51a78..f95aff9189c 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -61,8 +61,8 @@ secret **type**: ``string`` **required** This is a string that should be unique to your application and it's commonly used -to add more entropy to security related operations. Its value should be series of -characters, numbers and symbols choosen randomly. It's recommended length is +to add more entropy to security related operations. Its value should be a series of +characters, numbers and symbols chosen randomly. It's recommended length is around 32 characters. In practice, Symfony uses this value for generating the :ref:`CSRF tokens `, @@ -70,10 +70,10 @@ for encrypting the cookies used in the :doc:`remember me functionality ` . This option becomes the service container parameter named ``kernel.secret``, -which you can use whenever the application needs a immutable random string +which you can use whenever the application needs an immutable random string to add more entropy. -As any other security-related parameter, is a good practice to change this +As with any other security-related parameter, is a good practice to change this value from time to time. However, keep in mind that changing this value will invalidate all signed URIs and Remember Me cookies. That's why, after changing this value, you should regenerate the application cache, delete the HTTP Cache From 74841e63f33162baec694e5da428ff8f4f35e5f5 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 24 Mar 2015 18:39:03 +0100 Subject: [PATCH 3/5] Minor rewording --- reference/configuration/framework.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index f95aff9189c..8bf88c0400d 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -62,7 +62,7 @@ secret This is a string that should be unique to your application and it's commonly used to add more entropy to security related operations. Its value should be a series of -characters, numbers and symbols chosen randomly. It's recommended length is +characters, numbers and symbols chosen randomly and the recommended length is around 32 characters. In practice, Symfony uses this value for generating the :ref:`CSRF tokens `, From db5db0fda9f6a1ed3d35cecf9c7bb6b8e03a1eb9 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Wed, 25 Mar 2015 10:57:13 +0100 Subject: [PATCH 4/5] Fixed a minor grammar issue --- reference/configuration/framework.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 8bf88c0400d..6fd52b9e93b 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -73,7 +73,7 @@ This option becomes the service container parameter named ``kernel.secret``, which you can use whenever the application needs an immutable random string to add more entropy. -As with any other security-related parameter, is a good practice to change this +As with any other security-related parameter, it is a good practice to change this value from time to time. However, keep in mind that changing this value will invalidate all signed URIs and Remember Me cookies. That's why, after changing this value, you should regenerate the application cache, delete the HTTP Cache From ac3a74d171276eb41b0f8ff3a991468a6865cc66 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Fri, 17 Apr 2015 22:46:19 +0200 Subject: [PATCH 5/5] Minor rewording --- reference/configuration/framework.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 6fd52b9e93b..81b85e53063 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -76,8 +76,8 @@ to add more entropy. As with any other security-related parameter, it is a good practice to change this value from time to time. However, keep in mind that changing this value will invalidate all signed URIs and Remember Me cookies. That's why, after changing -this value, you should regenerate the application cache, delete the HTTP Cache -related cache and log out all the application users. +this value, you should regenerate the application cache and log out all the +application users. .. _configuration-framework-http_method_override: