Upgrading

Upgrading to Version 3.4

The minimum required PHP version is 8.3.

  • the method Request::isSameSite() is deprecated in favor of isFrom(), which determines the origin of the request from the Sec-Fetch-* headers. The automatic protection of forms and signals becomes more precise, and one behavior changes: direct navigation (a bookmark, a manually typed address, a link in an e-mail) is no longer considered same-site. If a signal relies on action links in e-mails, mark it with #[Requires(sameOrigin: false)].
  • the _nss cookie is now sent only to browsers that do not send the Sec-Fetch-Site header
  • setCookie() sends the Max-Age attribute and forces the Secure flag for SameSite=None and for partitioned cookies
  • the enum SameSite replaces the constants IResponse::SameSiteLax etc., which are deprecated
  • expiration is interpreted the same way everywhere: a number is a relative number of seconds, a string is an interval or a date. Passing an absolute UNIX timestamp is deprecated, and a session cookie is represented by null instead of 0.
  • the deprecated method Request::getRemoteHost() returns null
  • the long deprecated class Nette\Http\UserStorage was removed

The whole story of the switch to the Sec-Fetch-* headers is told in the article Quarter Century of CSRF.

Upgrading to Version 3.2

  • the credentials from HTTP Basic Authentication are no longer part of the Url object, so $url->getUser() and $url->getPassword() return an empty string. Read them using the new method $request->getBasicCredentials().

The reasons for this change are explained in the article Nette Http 3.2: change access to credentials.

Upgrading to Version 3.1

  • cookies are sent with the sameSite: Lax flag
  • cookieSecure now defaults to ‘auto’
  • the session.cookieSecure option is deprecated; http.cookieSecure is used instead
  • the nette-samesite cookie was renamed to _nss
  • Nette\Http\Request::getFile() accepts an array of keys and returns FileUpload|null
  • Nette\Http\Session::getCookieParameters() is deprecated
  • Nette\Http\FileUpload::getName() was renamed to getUntrustedName()
  • Nette\Http\Url: getBasePath(), getBaseUrl(), and getRelativeUrl() are deprecated (these methods are part of UrlScript)
  • Nette\Http\Response::$cookieHttpOnly is deprecated
  • Nette\Http\FileUpload::getImageSize() returns the pair [width, height]
  • with autoStart: smart (the default) the session is no longer started right after the application starts just because the browser sent a session cookie; it starts on the first read or write. The values always and never were added.
  • when the browser sends a session ID for which no session exists, Nette deletes the cookie instead of creating a new session
  • for accessing session sections prefer the methods set(), get() and remove(); unlike property access they correctly distinguish reading from writing and do not start the session unnecessarily
  • the default values of cookiePath and cookieDomain can be set in the configuration

The behavior of sessions is described in detail in the article Nette Http 3.1: much smarter sessions.

Upgrading to Version 3.0

  • the Nette\Http\UrlScript object (returned e.g. by Nette\Http\Request::getUrl()) is now immutable
  • in new Nette\Http\Url('abcd'), abcd represents the path, not the domain; since 3.0, (new Nette\Http\Url('abcd'))->setScheme('http') correctly generates http:abcd instead of the previous http://abcd
version: 4.x 3.x