Important
You are browsing the documentation for version 4.2 of OroCommerce, OroCRM and OroPlatform, which is no longer maintained. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.
See our Release Process documentation for more information on the currently supported and upcoming releases.
Configure Cookies¶
OroPlatform uses the following cookies:
BAPID - cookie that holds information about a logged in user;
BAPRM - cookie that holds a remembered user (remember me functionality);
_csrf - cookie that holds a CSRF token.
The storefront functionality adds the following cookies:
OROSFID - cookie that holds information about a logged in customer user;
OROSFRM - cookie that holds a remembered customer user (remember me functionality);
customer_visitor - cookie that holds customer visitor data.
All of these cookies are configured in different places.
Back-Office Session Cookie¶
The back-office session cookie holds information about a logged in user in the platform application.
This cookie’s default name is BAPID.
This cookie can be configured in the session section of the framework configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:
framework:
...
session:
...
name: BAPID # the cookie name
cookie_httponly: true # if true, the HttpOnly flag will be included in the HTTP response header
cookie_secure: 'auto' # determines whether cookies should only be sent over secure connections
cookie_samesite: null # prevents the browser from sending a cookie along with cross-site requests
More info about available configuration options is available in the cookie secure configuration documentation.
Back-Office Remember Me Cookie¶
The back-office remember me cookie holds information about a remembered user in the platform application.
This cookie’s default name is BAPRM.
This cookie can be configured in the main security firewall configuration in the organization-remember-me section in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:
security:
...
firewalls:
...
main:
...
organization-remember-me:
...
name: BAPRM # the cookie name
httponly: true # if true, the HttpOnly flag will be included in the HTTP response header
secure: 'auto' # determines whether cookies should only be sent over secure connections
samesite: null # prevents the browser from sending cookie along with cross-site requests
More info about available configuration options is available in the cookie secure configuration documentation.
CSRF Cookie¶
CSRF cookie holds the token that should be checked during requests.
The name of cookie is _csrf. If your application uses SSL, the name of cookie is https-_csrf.
This cookie can be configured in the csrf_cookie section of the Security bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:
oro_security:
...
csrf_cookie:
cookie_secure: 'auto' # determines whether cookies should only be sent over secure connections
cookie_samesite: null # prevents the browser from sending cookie along with cross-site requests
Possible values of the cookie_samesite parameter are: ‘strict’, ‘lax’, ‘none’, and null.
Important
Starting from platform version 4.2.11, the value of the HTTPOnly parameter for this cookie is always ‘false’ and cannot be changed to ‘true’ since the cookie value must be available in the JavaScript that sends AJAX requests to the server.
Storefront Session Cookie¶
As the storefront uses a customer user as an authentication object, it works with a separate cookie to store the session data.
This cookie’s default name is OROSFID.
This cookie can be configured in the session section of the Frontend bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:
oro_frontend:
...
session:
...
name: OROSFID # the cookie name
cookie_httponly: true # if true, the HttpOnly flag will be included in the HTTP response header
cookie_secure: 'auto' # determines whether cookies should only be sent over secure connections
cookie_samesite: null # prevents the browser from sending cookie along with cross-site requests
Note
The name parameter value is defined and can be changed in the config/config_prod.yml file.
If a parameter is absent or null, the value of the parameter is taken from the back-office session cookie.
Storefront Remember Me Cookie¶
The storefront has its own remember me cookie that holds the information about a remembered customer user.
This cookie’s default name is OROSFRM.
This cookie can be configured in the frontend security firewall configuration, in the organization-remember-me section in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:
security:
...
firewalls:
...
frontend:
...
organization-remember-me:
...
name: OROSFRM # the cookie name
httponly: true # if true, the HttpOnly flag will be included in the HTTP response header
secure: 'auto' # determines whether cookies should only be sent over secure connections
samesite: null # prevents the browser from sending cookie along with cross-site requests
More info about available configuration options is available in the cookie secure configuration documentation.
Customer Visitor Cookie¶
Customer visitor cookie is used in the storefront to store the data of a non-logged in user.
This cookie’s name is customer_visitor.
This cookie can be configured at the Customer bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:
oro_customer:
...
cookie_httponly: true # if true, the HttpOnly flag will be included in the HTTP response header
cookie_secure: 'auto' # determines whether cookies should only be sent over secure connections
cookie_samesite: null # prevents the browser from sending cookie along with cross-site requests