Skip to content

SameSite protection

You are viewing the next version (v6.7) of the documentation.
Click here to switch to the stable version (v6.6), or use the version switcher on the left to navigate between versions.

SameSite protection

INFO

This feature has been introduced with Shopware version 6.4.3.1

Overview

The SameSite configuration comes with the Symfony FrameworkBundle and supersedes the removed sw_csrf Twig function. It is widely available in modern browsers and is set to lax per default.

For more information, refer to SameSite cookies site

Configuration

Changes to the cookie_samesite attribute can be applied to your framework.yaml. The cookie_secure ensures that cookies are sent via HTTP or HTTPS, depending on the request's origin.

yaml

framework:
  session:
    cookie_secure: 'auto'
    cookie_samesite: lax

If you want to deactivate the SameSite protection despite security risks, change the value from lax to null. For detailed configuration options, check the official Symfony Docs.