7 * implemented PHP 7.0's `SessionUpdateTimestampHandlerInterface` with a new
8 `AbstractSessionHandler` base class and a new `StrictSessionHandler` wrapper
9 * deprecated the `WriteCheckSessionHandler`, `NativeSessionHandler` and `NativeProxy` classes
10 * deprecated setting session save handlers that do not implement `\SessionHandlerInterface` in `NativeSessionStorage::setSaveHandler()`
11 * deprecated using `MongoDbSessionHandler` with the legacy mongo extension; use it with the mongodb/mongodb package and ext-mongodb instead
12 * deprecated `MemcacheSessionHandler`; use `MemcachedSessionHandler` instead
17 * the `Request::setTrustedProxies()` method takes a new `$trustedHeaderSet` argument,
18 see http://symfony.com/doc/current/components/http_foundation/trusting_proxies.html for more info,
19 * deprecated the `Request::setTrustedHeaderName()` and `Request::getTrustedHeaderName()` methods,
20 * added `File\Stream`, to be passed to `BinaryFileResponse` when the size of the served file is unknown,
21 disabling `Range` and `Content-Length` handling, switching to chunked encoding instead
22 * added the `Cookie::fromString()` method that allows to create a cookie from a
28 * Added support for creating `JsonResponse` with a string of JSON data
33 * The precedence of parameters returned from `Request::get()` changed from "GET, PATH, BODY" to "PATH, GET, BODY"
38 * Finding deep items in `ParameterBag::get()` is deprecated since version 2.8 and
39 will be removed in 3.0.
44 * PdoSessionHandler changes
45 - implemented different session locking strategies to prevent loss of data by concurrent access to the same session
46 - [BC BREAK] save session data in a binary column without base64_encode
47 - [BC BREAK] added lifetime column to the session table which allows to have different lifetimes for each session
48 - implemented lazy connections that are only opened when a session is used by either passing a dsn string
49 explicitly or falling back to session.save_path ini setting
50 - added a createTable method that initializes a correctly defined table depending on the database vendor
55 * added `JsonResponse::setEncodingOptions()` & `JsonResponse::getEncodingOptions()` for easier manipulation
56 of the options used while encoding data to JSON format.
62 * added Request::getEncodings()
63 * added accessors methods to session handlers
68 * added support for ranges of IPs in trusted proxies
69 * `UploadedFile::isValid` now returns false if the file was not uploaded via HTTP (in a non-test mode)
70 * Improved error-handling of `\Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler`
71 to ensure the supplied PDO handler throws Exceptions on error (as the class expects). Added related test cases
72 to verify that Exceptions are properly thrown when the PDO queries fail.
77 * fixed the Request::create() precedence (URI information always take precedence now)
78 * added Request::getTrustedProxies()
79 * deprecated Request::isProxyTrusted()
80 * [BC BREAK] JsonResponse does not turn a top level empty array to an object anymore, use an ArrayObject to enforce objects
81 * added a IpUtils class to check if an IP belongs to a CIDR
82 * added Request::getRealMethod() to get the "real" HTTP method (getMethod() returns the "intended" HTTP method)
83 * disabled _method request parameter support by default (call Request::enableHttpMethodParameterOverride() to
84 enable it, and Request::getHttpMethodParameterOverride() to check if it is supported)
85 * Request::splitHttpAcceptHeader() method is deprecated and will be removed in 2.3
86 * Deprecated Flashbag::count() and \Countable interface, will be removed in 2.3
91 * added Request::getSchemeAndHttpHost() and Request::getUserInfo()
92 * added a fluent interface to the Response class
93 * added Request::isProxyTrusted()
95 * added a getTargetUrl method to RedirectResponse
96 * added support for streamed responses
97 * made Response::prepare() method the place to enforce HTTP specification
98 * [BC BREAK] moved management of the locale from the Session class to the Request class
99 * added a generic access to the PHP built-in filter mechanism: ParameterBag::filter()
100 * made FileBinaryMimeTypeGuesser command configurable
101 * added Request::getUser() and Request::getPassword()
102 * added support for the PATCH method in Request
103 * removed the ContentTypeMimeTypeGuesser class as it is deprecated and never used on PHP 5.3
104 * added ResponseHeaderBag::makeDisposition() (implements RFC 6266)
105 * made mimetype to extension conversion configurable
106 * [BC BREAK] Moved all session related classes and interfaces into own namespace, as
107 `Symfony\Component\HttpFoundation\Session` and renamed classes accordingly.
108 Session handlers are located in the subnamespace `Symfony\Component\HttpFoundation\Session\Handler`.
109 * SessionHandlers must implement `\SessionHandlerInterface` or extend from the
110 `Symfony\Component\HttpFoundation\Storage\Handler\NativeSessionHandler` base class.
111 * Added internal storage driver proxy mechanism for forward compatibility with
112 PHP 5.4 `\SessionHandler` class.
113 * Added session handlers for custom Memcache, Memcached and Null session save handlers.
114 * [BC BREAK] Removed `NativeSessionStorage` and replaced with `NativeFileSessionHandler`.
115 * [BC BREAK] `SessionStorageInterface` methods removed: `write()`, `read()` and
116 `remove()`. Added `getBag()`, `registerBag()`. The `NativeSessionStorage` class
117 is a mediator for the session storage internals including the session handlers
118 which do the real work of participating in the internal PHP session workflow.
119 * [BC BREAK] Introduced mock implementations of `SessionStorage` to enable unit
120 and functional testing without starting real PHP sessions. Removed
121 `ArraySessionStorage`, and replaced with `MockArraySessionStorage` for unit
122 tests; removed `FilesystemSessionStorage`, and replaced with`MockFileSessionStorage`
123 for functional tests. These do not interact with global session ini
124 configuration values, session functions or `$_SESSION` superglobal. This means
125 they can be configured directly allowing multiple instances to work without
126 conflicting in the same PHP process.
127 * [BC BREAK] Removed the `close()` method from the `Session` class, as this is
129 * Deprecated the following methods from the Session class: `setFlash()`, `setFlashes()`
130 `getFlash()`, `hasFlash()`, and `removeFlash()`. Use `getFlashBag()` instead
131 which returns a `FlashBagInterface`.
132 * `Session->clear()` now only clears session attributes as before it cleared
133 flash messages and attributes. `Session->getFlashBag()->all()` clears flashes now.
134 * Session data is now managed by `SessionBagInterface` to better encapsulate
136 * Refactored session attribute and flash messages system to their own
137 `SessionBagInterface` implementations.
138 * Added `FlashBag`. Flashes expire when retrieved by `get()` or `all()`. This
139 implementation is ESI compatible.
140 * Added `AutoExpireFlashBag` (default) to replicate Symfony 2.0.x auto expire
141 behaviour of messages auto expiring after one page page load. Messages must
142 be retrieved by `get()` or `all()`.
143 * Added `Symfony\Component\HttpFoundation\Attribute\AttributeBag` to replicate
144 attributes storage behaviour from 2.0.x (default).
145 * Added `Symfony\Component\HttpFoundation\Attribute\NamespacedAttributeBag` for
146 namespace session attributes.
147 * Flash API can stores messages in an array so there may be multiple messages
148 per flash type. The old `Session` class API remains without BC break as it
149 will allow single messages as before.
150 * Added basic session meta-data to the session to record session create time,
151 last updated time, and the lifetime of the session cookie that was provided
153 * Request::getClientIp() method doesn't take a parameter anymore but bases
154 itself on the trustProxy parameter.
155 * Added isMethod() to Request object.
156 * [BC BREAK] The methods `getPathInfo()`, `getBaseUrl()` and `getBasePath()` of
157 a `Request` now all return a raw value (vs a urldecoded value before). Any call
158 to one of these methods must be checked and wrapped in a `rawurldecode()` if