Nette Documentation Preview

syntax
Upgrading
*********


Upgrading to Version 3.4
========================

The minimum required PHP version is 8.3.

- the method `Request::isSameSite()` is deprecated in favor of `isFrom()`, which determines the origin of the request from the `Sec-Fetch-*` headers. The automatic protection of forms and signals becomes more precise, and one behavior changes: direct navigation (a bookmark, a manually typed address, a link in an e-mail) is no longer considered same-site. If a signal relies on action links in e-mails, mark it with `#[Requires(sameOrigin: false)]`.
- the `_nss` cookie is now sent only to browsers that do not send the `Sec-Fetch-Site` header
- `setCookie()` sends the `Max-Age` attribute and forces the `Secure` flag for `SameSite=None` and for partitioned cookies
- the enum `SameSite` replaces the constants `IResponse::SameSiteLax` etc., which are deprecated
- expiration is interpreted the same way everywhere: a number is a relative number of seconds, a string is an interval or a date. Passing an absolute UNIX timestamp is deprecated, and a session cookie is represented by `null` instead of `0`.
- the deprecated method `Request::getRemoteHost()` returns `null`
- the long deprecated class `Nette\Http\UserStorage` was removed

The whole story of the switch to the `Sec-Fetch-*` headers is told in the article [Quarter Century of CSRF |https://blog.nette.org/en/quarter-century-of-csrf].


Upgrading to Version 3.2
========================

- the credentials from HTTP Basic Authentication are no longer part of the `Url` object, so `$url->getUser()` and `$url->getPassword()` return an empty string. Read them using the new method `$request->getBasicCredentials()`.

The reasons for this change are explained in the article [Nette Http 3.2: change access to credentials |https://blog.nette.org/en/nette-http-3-2-change-access-to-credentials].


Upgrading to Version 3.1
========================

- cookies are sent with the `sameSite: Lax` flag
- `cookieSecure` now defaults to 'auto'
- the `session.cookieSecure` option is deprecated; `http.cookieSecure` is used instead
- the `nette-samesite` cookie was renamed to `_nss`
- `Nette\Http\Request::getFile()` accepts an array of keys and returns `FileUpload|null`
- `Nette\Http\Session::getCookieParameters()` is deprecated
- `Nette\Http\FileUpload::getName()` was renamed to `getUntrustedName()`
- `Nette\Http\Url`: `getBasePath()`, `getBaseUrl()`, and `getRelativeUrl()` are deprecated (these methods are part of `UrlScript`)
- `Nette\Http\Response::$cookieHttpOnly` is deprecated
- `Nette\Http\FileUpload::getImageSize()` returns the pair `[width, height]`
- with `autoStart: smart` (the default) the session is no longer started right after the application starts just because the browser sent a session cookie; it starts on the first read or write. The values `always` and `never` were added.
- when the browser sends a session ID for which no session exists, Nette deletes the cookie instead of creating a new session
- for accessing session sections prefer the methods `set()`, `get()` and `remove()`; unlike property access they correctly distinguish reading from writing and do not start the session unnecessarily
- the default values of `cookiePath` and `cookieDomain` can be set in the configuration

The behavior of sessions is described in detail in the article [Nette Http 3.1: much smarter sessions |https://blog.nette.org/en/nette-http-3-1-much-smarter-sessions].


Upgrading to Version 3.0
========================

- the `Nette\Http\UrlScript` object (returned e.g. by `Nette\Http\Request::getUrl()`) is now immutable
- in `new Nette\Http\Url('abcd')`, `abcd` represents the path, not the domain; since 3.0, `(new Nette\Http\Url('abcd'))->setScheme('http')` correctly generates `http:abcd` instead of the previous `http://abcd`

Upgrading

Upgrading to Version 3.4

The minimum required PHP version is 8.3.

  • the method Request::isSameSite() is deprecated in favor of isFrom(), which determines the origin of the request from the Sec-Fetch-* headers. The automatic protection of forms and signals becomes more precise, and one behavior changes: direct navigation (a bookmark, a manually typed address, a link in an e-mail) is no longer considered same-site. If a signal relies on action links in e-mails, mark it with #[Requires(sameOrigin: false)].
  • the _nss cookie is now sent only to browsers that do not send the Sec-Fetch-Site header
  • setCookie() sends the Max-Age attribute and forces the Secure flag for SameSite=None and for partitioned cookies
  • the enum SameSite replaces the constants IResponse::SameSiteLax etc., which are deprecated
  • expiration is interpreted the same way everywhere: a number is a relative number of seconds, a string is an interval or a date. Passing an absolute UNIX timestamp is deprecated, and a session cookie is represented by null instead of 0.
  • the deprecated method Request::getRemoteHost() returns null
  • the long deprecated class Nette\Http\UserStorage was removed

The whole story of the switch to the Sec-Fetch-* headers is told in the article Quarter Century of CSRF.

Upgrading to Version 3.2

  • the credentials from HTTP Basic Authentication are no longer part of the Url object, so $url->getUser() and $url->getPassword() return an empty string. Read them using the new method $request->getBasicCredentials().

The reasons for this change are explained in the article Nette Http 3.2: change access to credentials.

Upgrading to Version 3.1

  • cookies are sent with the sameSite: Lax flag
  • cookieSecure now defaults to ‚auto‘
  • the session.cookieSecure option is deprecated; http.cookieSecure is used instead
  • the nette-samesite cookie was renamed to _nss
  • Nette\Http\Request::getFile() accepts an array of keys and returns FileUpload|null
  • Nette\Http\Session::getCookieParameters() is deprecated
  • Nette\Http\FileUpload::getName() was renamed to getUntrustedName()
  • Nette\Http\Url: getBasePath(), getBaseUrl(), and getRelativeUrl() are deprecated (these methods are part of UrlScript)
  • Nette\Http\Response::$cookieHttpOnly is deprecated
  • Nette\Http\FileUpload::getImageSize() returns the pair [width, height]
  • with autoStart: smart (the default) the session is no longer started right after the application starts just because the browser sent a session cookie; it starts on the first read or write. The values always and never were added.
  • when the browser sends a session ID for which no session exists, Nette deletes the cookie instead of creating a new session
  • for accessing session sections prefer the methods set(), get() and remove(); unlike property access they correctly distinguish reading from writing and do not start the session unnecessarily
  • the default values of cookiePath and cookieDomain can be set in the configuration

The behavior of sessions is described in detail in the article Nette Http 3.1: much smarter sessions.

Upgrading to Version 3.0

  • the Nette\Http\UrlScript object (returned e.g. by Nette\Http\Request::getUrl()) is now immutable
  • in new Nette\Http\Url('abcd'), abcd represents the path, not the domain; since 3.0, (new Nette\Http\Url('abcd'))->setScheme('http') correctly generates http:abcd instead of the previous http://abcd