Configure Cookies

OroPlatform uses the following cookies:

• BAPID - cookie that holds information about a logged in user;
• BAPRM - cookie that holds a remembered user (remember me functionality);
• _csrf - cookie that holds a CSRF token.

The storefront functionality adds the following cookies:

• OROSFID - cookie that holds information about a logged in customer user;
• OROSFRM - cookie that holds a remembered customer user (remember me functionality);
• customer_visitor - cookie that holds customer visitor data.

All of these cookies are configured in different places.

Back-Office Session Cookie

The back-office session cookie holds information about a logged in user in the platform application.

This cookie’s default name is BAPID.

This cookie can be configured in the session section of the framework configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

framework:
    ...
    session:
        ...
        name:             BAPID   # the cookie name
        cookie_httponly:  true    # if true, the HttpOnly flag will be included in the HTTP response header
        cookie_secure:    'auto'  # determines whether cookies should only be sent over secure connections
        cookie_samesite:  null    # prevents the browser from sending a cookie along with cross-site requests

More info about available configuration options is available in the cookie secure configuration documentation.

Back-Office Remember Me Cookie

The back-office remember me cookie holds information about a remembered user in the platform application.

This cookie’s default name is BAPRM.

This cookie can be configured in the main security firewall configuration in the organization-remember-me section in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

security:
    ...
    firewalls:
        ...
        main:
            ...
            organization-remember-me:
                ...
                name:      BAPRM   # the cookie name
                httponly:  true    # if true, the HttpOnly flag will be included in the HTTP response header
                secure:    'auto'  # determines whether cookies should only be sent over secure connections
                samesite:  null    # prevents the browser from sending cookie along with cross-site requests

More info about available configuration options is available in the cookie secure configuration documentation.

CSRF Cookie

CSRF cookie holds the token that should be checked during requests.

The name of cookie is _csrf. If your application uses SSL, the name of cookie is https-_csrf.

This cookie can be configured in the csrf_cookie section of the Security bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

oro_security:
    ...
    csrf_cookie:
        cookie_httponly:  false   # if true, the HttpOnly flag will be included in the HTTP response header
        cookie_secure:    'auto'  # determines whether cookies should only be sent over secure connections
        cookie_samesite:  null    # prevents the browser from sending cookie along with cross-site requests

By default, this cookie has cookie_httponly parameter with false value.

Possible values of the cookie_samesite parameter are: ‘strict’, ‘lax’ and null.

Storefront Session Cookie

As the storefront uses a customer user as an authentication object, it works with a separate cookie to store the session data.

This cookie’s default name is OROSFID.

This cookie can be configured in the session section of the Frontend bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

oro_frontend:
    ...
    session:
        ...
        name:             OROSFID  # the cookie name
        cookie_httponly:  true     # if true, the HttpOnly flag will be included in the HTTP response header
        cookie_secure:    'auto'   # determines whether cookies should only be sent over secure connections
        cookie_samesite:  null     # prevents the browser from sending cookie along with cross-site requests

If a parameter is absent or null, the value of the parameter is taken from the back-office session cookie.

Storefront Remember Me Cookie

The storefront has its own remember me cookie that holds the information about a remembered customer user.

This cookie’s default name is OROSFRM.

This cookie can be configured in the frontend security firewall configuration, in the organization-remember-me section in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

security:
    ...
    firewalls:
        ...
        frontend:
            ...
            organization-remember-me:
                ...
                name:      OROSFRM # the cookie name
                httponly:  true    # if true, the HttpOnly flag will be included in the HTTP response header
                secure:    'auto'  # determines whether cookies should only be sent over secure connections
                samesite:  null    # prevents the browser from sending cookie along with cross-site requests

More info about available configuration options is available in the cookie secure configuration documentation.

Customer Visitor Cookie

Customer visitor cookie is used in the storefront to store the data of a non-logged in user.

This cookie’s name is customer_visitor.

This cookie can be configured at the Customer bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

oro_customer:
    ...
    cookie_httponly:  true     # if true, the HttpOnly flag will be included in the HTTP response header
    cookie_secure:    'auto'   # determines whether cookies should only be sent over secure connections
    cookie_samesite:  null     # prevents the browser from sending cookie along with cross-site requests