Closed
Description
Symfony version(s) affected: 4.1
Description
Security bundle configuration does not resolve environment variables (at least cookie_secure)
How to reproduce
framework:
session:
cookie_secure: '%env(bool:APP_SECURE)%'
This config looks good, whereas Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSessionDomainConstraintPass does not take it into account and uses $sessionOptions['cookie_secure'] as-is, which holds the env_b5fff47290c287c9_bool_APP_SECURE_93dabfcdbc8f9f7829f1a29cd3d2d083 value.
Possible Solution
Instead of YAML use the following ugly php-based configuration (or its variations)
<?php
$envSecure = getenv('APP_SECURE');
if ($envSecure === false) {
$envSecure = true;
} else {
$envSecure = filter_var($envSecure, FILTER_VALIDATE_BOOLEAN, ['flags' => FILTER_NULL_ON_FAILURE]);
if ($envSecure === null) {
$envSecure = true;
}
}
$container->loadFromExtension('framework', [
'session' => [
'cookie_secure' => $envSecure,
],
]);Additional context