1CHANGELOG 2========= 3 45.0.0 5----- 6 7 * made `Cookie` auto-secure and lax by default 8 * removed classes in the `MimeType` namespace, use the Symfony Mime component instead 9 * removed method `UploadedFile::getClientSize()` and the related constructor argument 10 * made `Request::getSession()` throw if the session has not been set before 11 * removed `Response::HTTP_RESERVED_FOR_WEBDAV_ADVANCED_COLLECTIONS_EXPIRED_PROPOSAL` 12 * passing a null url when instantiating a `RedirectResponse` is not allowed 13 144.4.0 15----- 16 17 * passing arguments to `Request::isMethodSafe()` is deprecated. 18 * `ApacheRequest` is deprecated, use the `Request` class instead. 19 * passing a third argument to `HeaderBag::get()` is deprecated, use method `all()` instead 20 * [BC BREAK] `PdoSessionHandler` with MySQL changed the type of the lifetime column, 21 make sure to run `ALTER TABLE sessions MODIFY sess_lifetime INTEGER UNSIGNED NOT NULL` to 22 update your database. 23 * `PdoSessionHandler` now precalculates the expiry timestamp in the lifetime column, 24 make sure to run `CREATE INDEX EXPIRY ON sessions (sess_lifetime)` to update your database 25 to speed up garbage collection of expired sessions. 26 * added `SessionHandlerFactory` to create session handlers with a DSN 27 * added `IpUtils::anonymize()` to help with GDPR compliance. 28 294.3.0 30----- 31 32 * added PHPUnit constraints: `RequestAttributeValueSame`, `ResponseCookieValueSame`, `ResponseHasCookie`, 33 `ResponseHasHeader`, `ResponseHeaderSame`, `ResponseIsRedirected`, `ResponseIsSuccessful`, and `ResponseStatusCodeSame` 34 * deprecated `MimeTypeGuesserInterface` and `ExtensionGuesserInterface` in favor of `Symfony\Component\Mime\MimeTypesInterface`. 35 * deprecated `MimeType` and `MimeTypeExtensionGuesser` in favor of `Symfony\Component\Mime\MimeTypes`. 36 * deprecated `FileBinaryMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileBinaryMimeTypeGuesser`. 37 * deprecated `FileinfoMimeTypeGuesser` in favor of `Symfony\Component\Mime\FileinfoMimeTypeGuesser`. 38 * added `UrlHelper` that allows to get an absolute URL and a relative path for a given path 39 404.2.0 41----- 42 43 * the default value of the "$secure" and "$samesite" arguments of Cookie's constructor 44 will respectively change from "false" to "null" and from "null" to "lax" in Symfony 45 5.0, you should define their values explicitly or use "Cookie::create()" instead. 46 * added `matchPort()` in RequestMatcher 47 484.1.3 49----- 50 51 * [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL` 52 HTTP headers has been dropped for security reasons. 53 544.1.0 55----- 56 57 * Query string normalization uses `parse_str()` instead of custom parsing logic. 58 * Passing the file size to the constructor of the `UploadedFile` class is deprecated. 59 * The `getClientSize()` method of the `UploadedFile` class is deprecated. Use `getSize()` instead. 60 * added `RedisSessionHandler` to use Redis as a session storage 61 * The `get()` method of the `AcceptHeader` class now takes into account the 62 `*` and `*/*` default values (if they are present in the Accept HTTP header) 63 when looking for items. 64 * deprecated `Request::getSession()` when no session has been set. Use `Request::hasSession()` instead. 65 * added `CannotWriteFileException`, `ExtensionFileException`, `FormSizeFileException`, 66 `IniSizeFileException`, `NoFileException`, `NoTmpDirFileException`, `PartialFileException` to 67 handle failed `UploadedFile`. 68 * added `MigratingSessionHandler` for migrating between two session handlers without losing sessions 69 * added `HeaderUtils`. 70 714.0.0 72----- 73 74 * the `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()` 75 methods have been removed 76 * the `Request::HEADER_CLIENT_IP` constant has been removed, use 77 `Request::HEADER_X_FORWARDED_FOR` instead 78 * the `Request::HEADER_CLIENT_HOST` constant has been removed, use 79 `Request::HEADER_X_FORWARDED_HOST` instead 80 * the `Request::HEADER_CLIENT_PROTO` constant has been removed, use 81 `Request::HEADER_X_FORWARDED_PROTO` instead 82 * the `Request::HEADER_CLIENT_PORT` constant has been removed, use 83 `Request::HEADER_X_FORWARDED_PORT` instead 84 * checking for cacheable HTTP methods using the `Request::isMethodSafe()` 85 method (by not passing `false` as its argument) is not supported anymore and 86 throws a `\BadMethodCallException` 87 * the `WriteCheckSessionHandler`, `NativeSessionHandler` and `NativeProxy` classes have been removed 88 * setting session save handlers that do not implement `\SessionHandlerInterface` in 89 `NativeSessionStorage::setSaveHandler()` is not supported anymore and throws a 90 `\TypeError` 91 923.4.0 93----- 94 95 * implemented PHP 7.0's `SessionUpdateTimestampHandlerInterface` with a new 96 `AbstractSessionHandler` base class and a new `StrictSessionHandler` wrapper 97 * deprecated the `WriteCheckSessionHandler`, `NativeSessionHandler` and `NativeProxy` classes 98 * deprecated setting session save handlers that do not implement `\SessionHandlerInterface` in `NativeSessionStorage::setSaveHandler()` 99 * deprecated using `MongoDbSessionHandler` with the legacy mongo extension; use it with the mongodb/mongodb package and ext-mongodb instead 100 * deprecated `MemcacheSessionHandler`; use `MemcachedSessionHandler` instead 101 1023.3.0 103----- 104 105 * the `Request::setTrustedProxies()` method takes a new `$trustedHeaderSet` argument, 106 see https://symfony.com/doc/current/deployment/proxies.html for more info, 107 * deprecated the `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()` methods, 108 * added `File\Stream`, to be passed to `BinaryFileResponse` when the size of the served file is unknown, 109 disabling `Range` and `Content-Length` handling, switching to chunked encoding instead 110 * added the `Cookie::fromString()` method that allows to create a cookie from a 111 raw header string 112 1133.1.0 114----- 115 116 * Added support for creating `JsonResponse` with a string of JSON data 117 1183.0.0 119----- 120 121 * The precedence of parameters returned from `Request::get()` changed from "GET, PATH, BODY" to "PATH, GET, BODY" 122 1232.8.0 124----- 125 126 * Finding deep items in `ParameterBag::get()` is deprecated since version 2.8 and 127 will be removed in 3.0. 128 1292.6.0 130----- 131 132 * PdoSessionHandler changes 133 - implemented different session locking strategies to prevent loss of data by concurrent access to the same session 134 - [BC BREAK] save session data in a binary column without base64_encode 135 - [BC BREAK] added lifetime column to the session table which allows to have different lifetimes for each session 136 - implemented lazy connections that are only opened when a session is used by either passing a dsn string 137 explicitly or falling back to session.save_path ini setting 138 - added a createTable method that initializes a correctly defined table depending on the database vendor 139 1402.5.0 141----- 142 143 * added `JsonResponse::setEncodingOptions()` & `JsonResponse::getEncodingOptions()` for easier manipulation 144 of the options used while encoding data to JSON format. 145 1462.4.0 147----- 148 149 * added RequestStack 150 * added Request::getEncodings() 151 * added accessors methods to session handlers 152 1532.3.0 154----- 155 156 * added support for ranges of IPs in trusted proxies 157 * `UploadedFile::isValid` now returns false if the file was not uploaded via HTTP (in a non-test mode) 158 * Improved error-handling of `\Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler` 159 to ensure the supplied PDO handler throws Exceptions on error (as the class expects). Added related test cases 160 to verify that Exceptions are properly thrown when the PDO queries fail. 161 1622.2.0 163----- 164 165 * fixed the Request::create() precedence (URI information always take precedence now) 166 * added Request::getTrustedProxies() 167 * deprecated Request::isProxyTrusted() 168 * [BC BREAK] JsonResponse does not turn a top level empty array to an object anymore, use an ArrayObject to enforce objects 169 * added a IpUtils class to check if an IP belongs to a CIDR 170 * added Request::getRealMethod() to get the "real" HTTP method (getMethod() returns the "intended" HTTP method) 171 * disabled _method request parameter support by default (call Request::enableHttpMethodParameterOverride() to 172 enable it, and Request::getHttpMethodParameterOverride() to check if it is supported) 173 * Request::splitHttpAcceptHeader() method is deprecated and will be removed in 2.3 174 * Deprecated Flashbag::count() and \Countable interface, will be removed in 2.3 175 1762.1.0 177----- 178 179 * added Request::getSchemeAndHttpHost() and Request::getUserInfo() 180 * added a fluent interface to the Response class 181 * added Request::isProxyTrusted() 182 * added JsonResponse 183 * added a getTargetUrl method to RedirectResponse 184 * added support for streamed responses 185 * made Response::prepare() method the place to enforce HTTP specification 186 * [BC BREAK] moved management of the locale from the Session class to the Request class 187 * added a generic access to the PHP built-in filter mechanism: ParameterBag::filter() 188 * made FileBinaryMimeTypeGuesser command configurable 189 * added Request::getUser() and Request::getPassword() 190 * added support for the PATCH method in Request 191 * removed the ContentTypeMimeTypeGuesser class as it is deprecated and never used on PHP 5.3 192 * added ResponseHeaderBag::makeDisposition() (implements RFC 6266) 193 * made mimetype to extension conversion configurable 194 * [BC BREAK] Moved all session related classes and interfaces into own namespace, as 195 `Symfony\Component\HttpFoundation\Session` and renamed classes accordingly. 196 Session handlers are located in the subnamespace `Symfony\Component\HttpFoundation\Session\Handler`. 197 * SessionHandlers must implement `\SessionHandlerInterface` or extend from the 198 `Symfony\Component\HttpFoundation\Storage\Handler\NativeSessionHandler` base class. 199 * Added internal storage driver proxy mechanism for forward compatibility with 200 PHP 5.4 `\SessionHandler` class. 201 * Added session handlers for custom Memcache, Memcached and Null session save handlers. 202 * [BC BREAK] Removed `NativeSessionStorage` and replaced with `NativeFileSessionHandler`. 203 * [BC BREAK] `SessionStorageInterface` methods removed: `write()`, `read()` and 204 `remove()`. Added `getBag()`, `registerBag()`. The `NativeSessionStorage` class 205 is a mediator for the session storage internals including the session handlers 206 which do the real work of participating in the internal PHP session workflow. 207 * [BC BREAK] Introduced mock implementations of `SessionStorage` to enable unit 208 and functional testing without starting real PHP sessions. Removed 209 `ArraySessionStorage`, and replaced with `MockArraySessionStorage` for unit 210 tests; removed `FilesystemSessionStorage`, and replaced with`MockFileSessionStorage` 211 for functional tests. These do not interact with global session ini 212 configuration values, session functions or `$_SESSION` superglobal. This means 213 they can be configured directly allowing multiple instances to work without 214 conflicting in the same PHP process. 215 * [BC BREAK] Removed the `close()` method from the `Session` class, as this is 216 now redundant. 217 * Deprecated the following methods from the Session class: `setFlash()`, `setFlashes()` 218 `getFlash()`, `hasFlash()`, and `removeFlash()`. Use `getFlashBag()` instead 219 which returns a `FlashBagInterface`. 220 * `Session->clear()` now only clears session attributes as before it cleared 221 flash messages and attributes. `Session->getFlashBag()->all()` clears flashes now. 222 * Session data is now managed by `SessionBagInterface` to better encapsulate 223 session data. 224 * Refactored session attribute and flash messages system to their own 225 `SessionBagInterface` implementations. 226 * Added `FlashBag`. Flashes expire when retrieved by `get()` or `all()`. This 227 implementation is ESI compatible. 228 * Added `AutoExpireFlashBag` (default) to replicate Symfony 2.0.x auto expire 229 behavior of messages auto expiring after one page page load. Messages must 230 be retrieved by `get()` or `all()`. 231 * Added `Symfony\Component\HttpFoundation\Attribute\AttributeBag` to replicate 232 attributes storage behavior from 2.0.x (default). 233 * Added `Symfony\Component\HttpFoundation\Attribute\NamespacedAttributeBag` for 234 namespace session attributes. 235 * Flash API can stores messages in an array so there may be multiple messages 236 per flash type. The old `Session` class API remains without BC break as it 237 will allow single messages as before. 238 * Added basic session meta-data to the session to record session create time, 239 last updated time, and the lifetime of the session cookie that was provided 240 to the client. 241 * Request::getClientIp() method doesn't take a parameter anymore but bases 242 itself on the trustProxy parameter. 243 * Added isMethod() to Request object. 244 * [BC BREAK] The methods `getPathInfo()`, `getBaseUrl()` and `getBasePath()` of 245 a `Request` now all return a raw value (vs a urldecoded value before). Any call 246 to one of these methods must be checked and wrapped in a `rawurldecode()` if 247 needed. 248