[HttpFoundation] Remove deprecated session options from NativeSessionStorage

OskarStark · claude · OskarStark · commit 0f1199b87017 · 2025-06-27T23:13:12.000+02:00
Remove the following deprecated session options: referer_check, use_only_cookies, use_trans_sid, sid_length, sid_bits_per_character, trans_sid_hosts, trans_sid_tags - Remove BC BREAK prefix from CHANGELOG entry - Add UPGRADE-8.0.md entry with before/after examples - Remove legacy test for trans_sid_tags option - Keep symfony/deprecation-contracts as it's still needed for Response.php 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/UPGRADE-8.0.md b/UPGRADE-8.0.md
@@ -152,6 +152,45 @@ FrameworkBundle
    $application->addCommand(new CreateUserCommand());
    ```
 
+HttpFoundation
+--------------
+
+ * Remove the following deprecated session options from `NativeSessionStorage`: `referer_check`, `use_only_cookies`, `use_trans_sid`, `sid_length`, `sid_bits_per_character`, `trans_sid_hosts`, `trans_sid_tags`
+
+   *Before*
+   ```php
+   use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
+
+   $storage = new NativeSessionStorage([
+       'referer_check' => 'http://example.com',
+       'use_only_cookies' => true,
+       'use_trans_sid' => false,
+       'sid_length' => 48,
+       'sid_bits_per_character' => 6,
+       'trans_sid_hosts' => 'example.com',
+       'trans_sid_tags' => 'a=href,area=href',
+   ]);
+   ```
+
+   *After*
+   ```php
+   use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
+
+   // These options are no longer supported and should be removed
+   $storage = new NativeSessionStorage([
+       // Configure other session options as needed
+   ]);
+   
+   // Use PHP's session configuration functions directly if needed:
+   // ini_set('session.referer_check', 'http://example.com');
+   // ini_set('session.use_only_cookies', '1');
+   // ini_set('session.use_trans_sid', '0');
+   // ini_set('session.sid_length', '48');
+   // ini_set('session.sid_bits_per_character', '6');
+   // ini_set('session.trans_sid_hosts', 'example.com');
+   // ini_set('session.trans_sid_tags', 'a=href,area=href');
+   ```
+
 HttpClient
 ----------
 
diff --git a/src/Symfony/Component/HttpFoundation/CHANGELOG.md b/src/Symfony/Component/HttpFoundation/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+8.0
+---
+
+ * Remove the following deprecated session options from `NativeSessionStorage`: `referer_check`, `use_only_cookies`, `use_trans_sid`, `sid_length`, `sid_bits_per_character`, `trans_sid_hosts`, `trans_sid_tags`
+
 7.4
 ---
 
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php b/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
@@ -62,16 +62,9 @@ class NativeSessionStorage implements SessionStorageInterface
      * gc_probability, "1"
      * lazy_write, "1"
      * name, "PHPSESSID"
-     * referer_check, "" (deprecated since Symfony 7.2, to be removed in Symfony 8.0)
      * serialize_handler, "php"
      * use_strict_mode, "1"
      * use_cookies, "1"
-     * use_only_cookies, "1" (deprecated since Symfony 7.2, to be removed in Symfony 8.0)
-     * use_trans_sid, "0" (deprecated since Symfony 7.2, to be removed in Symfony 8.0)
-     * sid_length, "32" (@deprecated since Symfony 7.2, to be removed in 8.0)
-     * sid_bits_per_character, "5" (@deprecated since Symfony 7.2, to be removed in 8.0)
-     * trans_sid_hosts, $_SERVER['HTTP_HOST'] (deprecated since Symfony 7.2, to be removed in Symfony 8.0)
-     * trans_sid_tags, "a=href,area=href,frame=src,form=" (deprecated since Symfony 7.2, to be removed in Symfony 8.0)
      */
     public function __construct(array $options = [], AbstractProxy|\SessionHandlerInterface|null $handler = null, ?MetadataBag $metaBag = null)
     {
@@ -122,25 +115,19 @@ public function start(): bool
          *
          * ---------- Part 1
          *
-         * The part `[a-zA-Z0-9,-]` is related to the PHP ini directive `session.sid_bits_per_character` defined as 6.
+         * The part `[a-zA-Z0-9,-]` corresponds to the character range when PHP's `session.sid_bits_per_character` is set to 6.
          * See https://www.php.net/manual/en/session.configuration.php#ini.session.sid-bits-per-character.
-         * Allowed values are integers such as:
-         * - 4 for range `a-f0-9`
-         * - 5 for range `a-v0-9` (@deprecated since Symfony 7.2, it will default to 4 and the option will be ignored in Symfony 8.0)
-         * - 6 for range `a-zA-Z0-9,-` (@deprecated since Symfony 7.2, it will default to 4 and the option will be ignored in Symfony 8.0)
          *
          * ---------- Part 2
          *
-         * The part `{22,250}` is related to the PHP ini directive `session.sid_length`.
+         * The part `{22,250}` defines the acceptable length range for session IDs.
          * See https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length.
          * Allowed values are integers between 22 and 256, but we use 250 for the max.
          *
          * Where does the 250 come from?
          * - The length of Windows and Linux filenames is limited to 255 bytes. Then the max must not exceed 255.
          * - The session filename prefix is `sess_`, a 5 bytes string. Then the max must not exceed 255 - 5 = 250.
          *
-         * This is @deprecated since Symfony 7.2, the sid length will default to 32 and the option will be ignored in Symfony 8.0.
-         *
          * ---------- Conclusion
          *
          * The parts 1 and 2 prevent the warning below:
@@ -323,17 +310,11 @@ public function setOptions(array $options): void
             'cache_expire', 'cache_limiter', 'cookie_domain', 'cookie_httponly',
             'cookie_lifetime', 'cookie_path', 'cookie_secure', 'cookie_samesite',
             'gc_divisor', 'gc_maxlifetime', 'gc_probability',
-            'lazy_write', 'name', 'referer_check',
+            'lazy_write', 'name',
             'serialize_handler', 'use_strict_mode', 'use_cookies',
-            'use_only_cookies', 'use_trans_sid',
-            'sid_length', 'sid_bits_per_character', 'trans_sid_hosts', 'trans_sid_tags',
         ]);
 
         foreach ($options as $key => $value) {
-            if (\in_array($key, ['referer_check', 'use_only_cookies', 'use_trans_sid', 'trans_sid_hosts', 'trans_sid_tags', 'sid_length', 'sid_bits_per_character'], true)) {
-                trigger_deprecation('symfony/http-foundation', '7.2', 'NativeSessionStorage\'s "%s" option is deprecated and will be ignored in Symfony 8.0.', $key);
-            }
-
             if (isset($validOptions[$key])) {
                 if ('cookie_secure' === $key && 'auto' === $value) {
                     continue;
diff --git a/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php b/src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php
@@ -217,32 +217,6 @@ public function testCacheExpireOption()
         $this->assertSame('200', \ini_get('session.cache_expire'));
     }
 
-    /**
-     * @group legacy
-     *
-     * The test must only be removed when the "session.trans_sid_tags" option is removed from PHP or when the "trans_sid_tags" option is no longer supported by the native session storage.
-     */
-    public function testTransSidTagsOption()
-    {
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "trans_sid_tags" option is deprecated and will be ignored in Symfony 8.0.');
-
-        $previousErrorHandler = set_error_handler(function ($errno, $errstr) use (&$previousErrorHandler) {
-            if ('ini_set(): Usage of session.trans_sid_tags INI setting is deprecated' !== $errstr) {
-                return $previousErrorHandler ? $previousErrorHandler(...\func_get_args()) : false;
-            }
-        });
-
-        try {
-            $this->getStorage([
-                'trans_sid_tags' => 'a=href',
-            ]);
-        } finally {
-            restore_error_handler();
-        }
-
-        $this->assertSame('a=href', \ini_get('session.trans_sid_tags'));
-    }
-
     public function testSetSaveHandler()
     {
         $initialSaveHandler = ini_set('session.save_handler', 'files');
@@ -365,27 +339,4 @@ public function testSaveHandlesNullSessionGracefully()
         $this->addToAssertionCount(1);
     }
 
-    /**
-     * @group legacy
-     */
-    public function testPassingDeprecatedOptions()
-    {
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "sid_length" option is deprecated and will be ignored in Symfony 8.0.');
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "sid_bits_per_character" option is deprecated and will be ignored in Symfony 8.0.');
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "referer_check" option is deprecated and will be ignored in Symfony 8.0.');
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "use_only_cookies" option is deprecated and will be ignored in Symfony 8.0.');
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "use_trans_sid" option is deprecated and will be ignored in Symfony 8.0.');
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "trans_sid_hosts" option is deprecated and will be ignored in Symfony 8.0.');
-        $this->expectUserDeprecationMessage('Since symfony/http-foundation 7.2: NativeSessionStorage\'s "trans_sid_tags" option is deprecated and will be ignored in Symfony 8.0.');
-
-        $this->getStorage([
-            'sid_length' => 42,
-            'sid_bits_per_character' => 6,
-            'referer_check' => 'foo',
-            'use_only_cookies' => 'foo',
-            'use_trans_sid' => 'foo',
-            'trans_sid_hosts' => 'foo',
-            'trans_sid_tags' => 'foo',
-        ]);
-    }
 }
