Skip to content

Commit

Permalink
feature #5109 Improved the explanation about the "secret" configurati…
Browse files Browse the repository at this point in the history 
…on parameter (javiereguiluz)

This PR was merged into the 2.3 branch.

Discussion
----------

Improved the explanation about the "secret" configuration parameter

| Q             | A
| ------------- | ---
| Doc fix?      | no
| New docs?     | yes
| Applies to    | all
| Fixed tickets | -

Commits
-------

ac3a74d Minor rewording
db5db0f Fixed a minor grammar issue
74841e6 Minor rewording
4bbd84a Fixed some typos
b13250d Improved the explanation about the "secret" configuration parameter
  • Loading branch information
@weaverryan
weaverryan committed Apr 27, 2015
2 parents cac0a9c + ac3a74d commit 387ebc0
Showing 1 changed file with 18 additions and 4 deletions.
22 changes: 18 additions & 4 deletions reference/configuration/framework.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,10 +60,24 @@ secret

**type**: ``string`` **required**

This is a string that should be unique to your application. In practice,
it's used for generating the CSRF tokens, but it could be used in any other
context where having a unique string is useful. It becomes the service container
parameter named ``kernel.secret``.
This is a string that should be unique to your application and it's commonly used
to add more entropy to security related operations. Its value should be a series of
characters, numbers and symbols chosen randomly and the recommended length is
around 32 characters.

In practice, Symfony uses this value for generating the :ref:`CSRF tokens <forms-csrf>`,
for encrypting the cookies used in the :doc:`remember me functionality </cookbook/security/remember_me>`
and for creating signed URIs when using :ref:`ESI (Edge Side Includes) <edge-side-includes>` .

This option becomes the service container parameter named ``kernel.secret``,
which you can use whenever the application needs an immutable random string
to add more entropy.

As with any other security-related parameter, it is a good practice to change this
value from time to time. However, keep in mind that changing this value will
invalidate all signed URIs and Remember Me cookies. That's why, after changing
this value, you should regenerate the application cache and log out all the
application users.

.. _configuration-framework-http_method_override:

Expand Down

0 comments on commit 387ebc0

Please sign in to comment.