- Deprecate passing
null
as$requestIp
toIpUtils::__checkIp()
,IpUtils::__checkIp4()
orIpUtils::__checkIp6()
, pass an empty string instead. - Add the
litespeed_finish_request
method to work with Litespeed - Deprecate
upload_progress.*
andurl_rewriter.tags
session options - Allow setting session options via DSN
- Add the
SessionFactory
,NativeSessionStorageFactory
,PhpBridgeSessionStorageFactory
andMockFileSessionStorageFactory
classes - Calling
Request::getSession()
when there is no available session throws aSessionNotFoundException
- Add the
RequestStack::getSession
method - Deprecate the
NamespacedAttributeBag
class - Add
ResponseFormatSame
PHPUnit constraint - Deprecate the
RequestStack::getMasterRequest()
method and addgetMainRequest()
as replacement
- added support for
X-Forwarded-Prefix
header - added
HeaderUtils::parseQuery()
: it does the same asparse_str()
but preserves dots in variable names - added
File::getContent()
- added ability to use comma separated ip addresses for
RequestMatcher::matchIps()
- added
Request::toArray()
to parse a JSON request body to an array - added
RateLimiter\RequestRateLimiterInterface
andRateLimiter\AbstractRequestRateLimiter
- deprecated not passing a
Closure
together withFILTER_CALLBACK
toParameterBag::filter()
; wrap your filter in a closure instead. - Deprecated the
Request::HEADER_X_FORWARDED_ALL
constant, use eitherHEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO
orHEADER_X_FORWARDED_AWS_ELB
orHEADER_X_FORWARDED_TRAEFIK
constants instead. - Deprecated
BinaryFileResponse::create()
, use__construct()
instead
- added
Cookie::withValue
,Cookie::withDomain
,Cookie::withExpires
,Cookie::withPath
,Cookie::withSecure
,Cookie::withHttpOnly
,Cookie::withRaw
,Cookie::withSameSite
- Deprecate
Response::create()
,JsonResponse::create()
,RedirectResponse::create()
, andStreamedResponse::create()
methods (use__construct()
instead) - added
Request::preferSafeContent()
andResponse::setContentSafe()
to handle "safe" HTTP preference according to RFC 8674 - made the Mime component an optional dependency
- added
MarshallingSessionHandler
,IdentityMarshaller
- made
Session
accept a callback to report when the session is being used - Add support for all core cache control directives
- Added
Symfony\Component\HttpFoundation\InputBag
- Deprecated retrieving non-string values using
InputBag::get()
, useInputBag::all()
if you need access to the collection of values
- made
Cookie
auto-secure and lax by default - removed classes in the
MimeType
namespace, use the Symfony Mime component instead - removed method
UploadedFile::getClientSize()
and the related constructor argument - made
Request::getSession()
throw if the session has not been set before - removed
Response::HTTP_RESERVED_FOR_WEBDAV_ADVANCED_COLLECTIONS_EXPIRED_PROPOSAL
- passing a null url when instantiating a
RedirectResponse
is not allowed
- passing arguments to
Request::isMethodSafe()
is deprecated. ApacheRequest
is deprecated, use theRequest
class instead.- passing a third argument to
HeaderBag::get()
is deprecated, use methodall()
instead - [BC BREAK]
PdoSessionHandler
with MySQL changed the type of the lifetime column, make sure to runALTER TABLE sessions MODIFY sess_lifetime INTEGER UNSIGNED NOT NULL
to update your database. PdoSessionHandler
now precalculates the expiry timestamp in the lifetime column, make sure to runCREATE INDEX EXPIRY ON sessions (sess_lifetime)
to update your database to speed up garbage collection of expired sessions.- added
SessionHandlerFactory
to create session handlers with a DSN - added
IpUtils::anonymize()
to help with GDPR compliance.
- added PHPUnit constraints:
RequestAttributeValueSame
,ResponseCookieValueSame
,ResponseHasCookie
,ResponseHasHeader
,ResponseHeaderSame
,ResponseIsRedirected
,ResponseIsSuccessful
, andResponseStatusCodeSame
- deprecated
MimeTypeGuesserInterface
andExtensionGuesserInterface
in favor ofSymfony\Component\Mime\MimeTypesInterface
. - deprecated
MimeType
andMimeTypeExtensionGuesser
in favor ofSymfony\Component\Mime\MimeTypes
. - deprecated
FileBinaryMimeTypeGuesser
in favor ofSymfony\Component\Mime\FileBinaryMimeTypeGuesser
. - deprecated
FileinfoMimeTypeGuesser
in favor ofSymfony\Component\Mime\FileinfoMimeTypeGuesser
. - added
UrlHelper
that allows to get an absolute URL and a relative path for a given path
- the default value of the "$secure" and "$samesite" arguments of Cookie's constructor will respectively change from "false" to "null" and from "null" to "lax" in Symfony 5.0, you should define their values explicitly or use "Cookie::create()" instead.
- added
matchPort()
in RequestMatcher
- [BC BREAK] Support for the IIS-only
X_ORIGINAL_URL
andX_REWRITE_URL
HTTP headers has been dropped for security reasons.
- Query string normalization uses
parse_str()
instead of custom parsing logic. - Passing the file size to the constructor of the
UploadedFile
class is deprecated. - The
getClientSize()
method of theUploadedFile
class is deprecated. UsegetSize()
instead. - added
RedisSessionHandler
to use Redis as a session storage - The
get()
method of theAcceptHeader
class now takes into account the*
and*/*
default values (if they are present in the Accept HTTP header) when looking for items. - deprecated
Request::getSession()
when no session has been set. UseRequest::hasSession()
instead. - added
CannotWriteFileException
,ExtensionFileException
,FormSizeFileException
,IniSizeFileException
,NoFileException
,NoTmpDirFileException
,PartialFileException
to handle failedUploadedFile
. - added
MigratingSessionHandler
for migrating between two session handlers without losing sessions - added
HeaderUtils
.
- the
Request::setTrustedHeaderName()
andRequest::getTrustedHeaderName()
methods have been removed - the
Request::HEADER_CLIENT_IP
constant has been removed, useRequest::HEADER_X_FORWARDED_FOR
instead - the
Request::HEADER_CLIENT_HOST
constant has been removed, useRequest::HEADER_X_FORWARDED_HOST
instead - the
Request::HEADER_CLIENT_PROTO
constant has been removed, useRequest::HEADER_X_FORWARDED_PROTO
instead - the
Request::HEADER_CLIENT_PORT
constant has been removed, useRequest::HEADER_X_FORWARDED_PORT
instead - checking for cacheable HTTP methods using the
Request::isMethodSafe()
method (by not passingfalse
as its argument) is not supported anymore and throws a\BadMethodCallException
- the
WriteCheckSessionHandler
,NativeSessionHandler
andNativeProxy
classes have been removed - setting session save handlers that do not implement
\SessionHandlerInterface
inNativeSessionStorage::setSaveHandler()
is not supported anymore and throws a\TypeError
- implemented PHP 7.0's
SessionUpdateTimestampHandlerInterface
with a newAbstractSessionHandler
base class and a newStrictSessionHandler
wrapper - deprecated the
WriteCheckSessionHandler
,NativeSessionHandler
andNativeProxy
classes - deprecated setting session save handlers that do not implement
\SessionHandlerInterface
inNativeSessionStorage::setSaveHandler()
- deprecated using
MongoDbSessionHandler
with the legacy mongo extension; use it with the mongodb/mongodb package and ext-mongodb instead - deprecated
MemcacheSessionHandler
; useMemcachedSessionHandler
instead
- the
Request::setTrustedProxies()
method takes a new$trustedHeaderSet
argument, see https://symfony.com/doc/current/deployment/proxies.html for more info, - deprecated the
Request::setTrustedHeaderName()
andRequest::getTrustedHeaderName()
methods, - added
File\Stream
, to be passed toBinaryFileResponse
when the size of the served file is unknown, disablingRange
andContent-Length
handling, switching to chunked encoding instead - added the
Cookie::fromString()
method that allows to create a cookie from a raw header string
- Added support for creating
JsonResponse
with a string of JSON data
- The precedence of parameters returned from
Request::get()
changed from "GET, PATH, BODY" to "PATH, GET, BODY"
- Finding deep items in
ParameterBag::get()
is deprecated since version 2.8 and will be removed in 3.0.
- PdoSessionHandler changes
- implemented different session locking strategies to prevent loss of data by concurrent access to the same session
- [BC BREAK] save session data in a binary column without base64_encode
- [BC BREAK] added lifetime column to the session table which allows to have different lifetimes for each session
- implemented lazy connections that are only opened when a session is used by either passing a dsn string explicitly or falling back to session.save_path ini setting
- added a createTable method that initializes a correctly defined table depending on the database vendor
- added
JsonResponse::setEncodingOptions()
&JsonResponse::getEncodingOptions()
for easier manipulation of the options used while encoding data to JSON format.
- added RequestStack
- added Request::getEncodings()
- added accessors methods to session handlers
- added support for ranges of IPs in trusted proxies
UploadedFile::isValid
now returns false if the file was not uploaded via HTTP (in a non-test mode)- Improved error-handling of
\Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler
to ensure the supplied PDO handler throws Exceptions on error (as the class expects). Added related test cases to verify that Exceptions are properly thrown when the PDO queries fail.
- fixed the Request::create() precedence (URI information always take precedence now)
- added Request::getTrustedProxies()
- deprecated Request::isProxyTrusted()
- [BC BREAK] JsonResponse does not turn a top level empty array to an object anymore, use an ArrayObject to enforce objects
- added a IpUtils class to check if an IP belongs to a CIDR
- added Request::getRealMethod() to get the "real" HTTP method (getMethod() returns the "intended" HTTP method)
- disabled _method request parameter support by default (call Request::enableHttpMethodParameterOverride() to enable it, and Request::getHttpMethodParameterOverride() to check if it is supported)
- Request::splitHttpAcceptHeader() method is deprecated and will be removed in 2.3
- Deprecated Flashbag::count() and \Countable interface, will be removed in 2.3
- added Request::getSchemeAndHttpHost() and Request::getUserInfo()
- added a fluent interface to the Response class
- added Request::isProxyTrusted()
- added JsonResponse
- added a getTargetUrl method to RedirectResponse
- added support for streamed responses
- made Response::prepare() method the place to enforce HTTP specification
- [BC BREAK] moved management of the locale from the Session class to the Request class
- added a generic access to the PHP built-in filter mechanism: ParameterBag::filter()
- made FileBinaryMimeTypeGuesser command configurable
- added Request::getUser() and Request::getPassword()
- added support for the PATCH method in Request
- removed the ContentTypeMimeTypeGuesser class as it is deprecated and never used on PHP 5.3
- added ResponseHeaderBag::makeDisposition() (implements RFC 6266)
- made mimetype to extension conversion configurable
- [BC BREAK] Moved all session related classes and interfaces into own namespace, as
Symfony\Component\HttpFoundation\Session
and renamed classes accordingly. Session handlers are located in the subnamespaceSymfony\Component\HttpFoundation\Session\Handler
. - SessionHandlers must implement
\SessionHandlerInterface
or extend from theSymfony\Component\HttpFoundation\Storage\Handler\NativeSessionHandler
base class. - Added internal storage driver proxy mechanism for forward compatibility with
PHP 5.4
\SessionHandler
class. - Added session handlers for custom Memcache, Memcached and Null session save handlers.
- [BC BREAK] Removed
NativeSessionStorage
and replaced withNativeFileSessionHandler
. - [BC BREAK]
SessionStorageInterface
methods removed:write()
,read()
andremove()
. AddedgetBag()
,registerBag()
. TheNativeSessionStorage
class is a mediator for the session storage internals including the session handlers which do the real work of participating in the internal PHP session workflow. - [BC BREAK] Introduced mock implementations of
SessionStorage
to enable unit and functional testing without starting real PHP sessions. RemovedArraySessionStorage
, and replaced withMockArraySessionStorage
for unit tests; removedFilesystemSessionStorage
, and replaced withMockFileSessionStorage
for functional tests. These do not interact with global session ini configuration values, session functions or$_SESSION
superglobal. This means they can be configured directly allowing multiple instances to work without conflicting in the same PHP process. - [BC BREAK] Removed the
close()
method from theSession
class, as this is now redundant. - Deprecated the following methods from the Session class:
setFlash()
,setFlashes()
getFlash()
,hasFlash()
, andremoveFlash()
. UsegetFlashBag()
instead which returns aFlashBagInterface
. Session->clear()
now only clears session attributes as before it cleared flash messages and attributes.Session->getFlashBag()->all()
clears flashes now.- Session data is now managed by
SessionBagInterface
to better encapsulate session data. - Refactored session attribute and flash messages system to their own
SessionBagInterface
implementations. - Added
FlashBag
. Flashes expire when retrieved byget()
orall()
. This implementation is ESI compatible. - Added
AutoExpireFlashBag
(default) to replicate Symfony 2.0.x auto expire behavior of messages auto expiring after one page page load. Messages must be retrieved byget()
orall()
. - Added
Symfony\Component\HttpFoundation\Attribute\AttributeBag
to replicate attributes storage behavior from 2.0.x (default). - Added
Symfony\Component\HttpFoundation\Attribute\NamespacedAttributeBag
for namespace session attributes. - Flash API can stores messages in an array so there may be multiple messages
per flash type. The old
Session
class API remains without BC break as it will allow single messages as before. - Added basic session meta-data to the session to record session create time, last updated time, and the lifetime of the session cookie that was provided to the client.
- Request::getClientIp() method doesn't take a parameter anymore but bases itself on the trustProxy parameter.
- Added isMethod() to Request object.
- [BC BREAK] The methods
getPathInfo()
,getBaseUrl()
andgetBasePath()
of aRequest
now all return a raw value (vs a urldecoded value before). Any call to one of these methods must be checked and wrapped in arawurldecode()
if needed.