Upgrading
Upgrading to Version 3.4
The minimum required PHP version is 8.3.
- the method
Request::isSameSite()is deprecated in favor ofisFrom(), which determines the origin of the request from theSec-Fetch-*headers. The automatic protection of forms and signals becomes more precise, and one behavior changes: direct navigation (a bookmark, a manually typed address, a link in an e-mail) is no longer considered same-site. If a signal relies on action links in e-mails, mark it with#[Requires(sameOrigin: false)]. - the
_nsscookie is now sent only to browsers that do not send theSec-Fetch-Siteheader setCookie()sends theMax-Ageattribute and forces theSecureflag forSameSite=Noneand for partitioned cookies- the enum
SameSitereplaces the constantsIResponse::SameSiteLaxetc., which are deprecated - expiration is interpreted the same way everywhere: a number is a relative number of seconds, a string is an interval or a
date. Passing an absolute UNIX timestamp is deprecated, and a session cookie is represented by
nullinstead of0. - the deprecated method
Request::getRemoteHost()returnsnull - the long deprecated class
Nette\Http\UserStoragewas removed
The whole story of the switch to the Sec-Fetch-* headers is told in the article Quarter Century of CSRF.
Upgrading to Version 3.2
- the credentials from HTTP Basic Authentication are no longer part of the
Urlobject, so$url->getUser()and$url->getPassword()return an empty string. Read them using the new method$request->getBasicCredentials().
The reasons for this change are explained in the article Nette Http 3.2: change access to credentials.
Upgrading to Version 3.1
- cookies are sent with the
sameSite: Laxflag cookieSecurenow defaults to ‘auto’- the
session.cookieSecureoption is deprecated;http.cookieSecureis used instead - the
nette-samesitecookie was renamed to_nss Nette\Http\Request::getFile()accepts an array of keys and returnsFileUpload|nullNette\Http\Session::getCookieParameters()is deprecatedNette\Http\FileUpload::getName()was renamed togetUntrustedName()Nette\Http\Url:getBasePath(),getBaseUrl(), andgetRelativeUrl()are deprecated (these methods are part ofUrlScript)Nette\Http\Response::$cookieHttpOnlyis deprecatedNette\Http\FileUpload::getImageSize()returns the pair[width, height]- with
autoStart: smart(the default) the session is no longer started right after the application starts just because the browser sent a session cookie; it starts on the first read or write. The valuesalwaysandneverwere added. - when the browser sends a session ID for which no session exists, Nette deletes the cookie instead of creating a new session
- for accessing session sections prefer the methods
set(),get()andremove(); unlike property access they correctly distinguish reading from writing and do not start the session unnecessarily - the default values of
cookiePathandcookieDomaincan be set in the configuration
The behavior of sessions is described in detail in the article Nette Http 3.1: much smarter sessions.
Upgrading to Version 3.0
- the
Nette\Http\UrlScriptobject (returned e.g. byNette\Http\Request::getUrl()) is now immutable - in
new Nette\Http\Url('abcd'),abcdrepresents the path, not the domain; since 3.0,(new Nette\Http\Url('abcd'))->setScheme('http')correctly generateshttp:abcdinstead of the previoushttp://abcd