Configure Cookies

OroPlatform uses the following cookies:

• BAPID - cookie that holds information about a logged-in user;
• BAPRM - cookie that holds a remembered user (remember me functionality);
• _csrf - cookie that holds a CSRF token.

The storefront functionality adds the following cookies:

• OROSFID - cookie that holds information about a logged-in customer user;
• OROSFRM - cookie that holds a remembered customer user (remember me functionality);
• customer_visitor - cookie that holds customer visitor data.

All of these cookies are configured in different places.

Back-Office Session Cookie

The back-office session cookie holds information about a logged-in user in the platform application.

This cookie’s default name is BAPID.

This cookie can be configured in the session section of the framework configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

framework:
    ...
    session:
        ...
        name:             BAPID   # the cookie name
        cookie_httponly:  true    # if true, the HttpOnly flag will be included in the HTTP response header
        cookie_secure:    'auto'  # determines whether cookies should only be sent over secure connections
        cookie_samesite:  null    # prevents the browser from sending a cookie along with cross-site requests

More information about configuration options is available in the cookie secure configuration documentation.

Back-Office Remember Me Cookie

The back-office remember me cookie holds information about a remembered user in the platform application.

This cookie’s default name is BAPRM.

This cookie can be configured in the main security firewall configuration in the organization-remember-me section in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

security:
    ...
    firewalls:
        ...
        main:
            ...
            organization-remember-me:
                ...
                name:      BAPRM   # the cookie name
                httponly:  true    # if true, the HttpOnly flag will be included in the HTTP response header
                secure:    'auto'  # determines whether cookies should only be sent over secure connections
                samesite:  null    # prevents the browser from sending cookie along with cross-site requests

More information about configuration options is available in the cookie secure configuration documentation.

CSRF Cookie

CSRF cookie holds the token that should be checked during requests.

The name of the cookie is _csrf. If your application uses SSL, the name is https-_csrf.

This cookie can be configured in the csrf_cookie section of the Security bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

oro_security:
    ...
    csrf_cookie:
        cookie_secure:    'auto'  # determines whether cookies should only be sent over secure connections
        cookie_samesite:  null    # prevents the browser from sending cookie along with cross-site requests

Possible values of the cookie_samesite parameter are: ‘strict’, ‘lax’, ‘none’, and null.

Important

The value of the HTTPOnly parameter for this cookie is always ‘false’ and cannot be changed to ‘true’ since the cookie value must be available in the JavaScript that sends AJAX requests to the server.

Storefront Session Cookie

As the storefront uses a customer user as an authentication object, it works with a separate cookie to store the session data.

This cookie’s default name is OROSFID.

This cookie can be configured in the session section of the Frontend bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

oro_frontend:
    ...
    session:
        ...
        name:             OROSFID  # the cookie name
        cookie_httponly:  true     # if true, the HttpOnly flag will be included in the HTTP response header
        cookie_secure:    'auto'   # determines whether cookies should only be sent over secure connections
        cookie_samesite:  null     # prevents the browser from sending cookie along with cross-site requests

Note

The name parameter value is defined and can be changed in the config/config_prod.yml file.

If a parameter is absent or null, the parameter’s value is taken from the back-office session cookie.

Storefront Remember Me Cookie

The storefront has its own remember me cookie that holds the information about a remembered customer user.

This cookie’s default name is OROSFRM.

This cookie can be configured in the frontend security firewall configuration, in the organization-remember-me section in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

security:
    ...
    firewalls:
        ...
        frontend:
            ...
            organization-remember-me:
                ...
                name:      OROSFRM # the cookie name
                httponly:  true    # if true, the HttpOnly flag will be included in the HTTP response header
                secure:    'auto'  # determines whether cookies should only be sent over secure connections
                samesite:  null    # prevents the browser from sending cookie along with cross-site requests

More information about configuration options is available in the cookie secure configuration documentation.

Customer Visitor Cookie

A customer visitor cookie is used in the storefront to store the data of a non-logged-in user.

This cookie’s name is customer_visitor.

This cookie can be configured in the visitor_session section of the Customer bundle configuration in the Resources/config/oro/app.yml file in any bundle or in the config/config.yml file:

oro_customer:
    ...
    visitor_session:
        cookie_httponly:  true     # if true, the HttpOnly flag will be included in the HTTP response header
        cookie_secure:    'auto'   # determines whether cookies should only be sent over secure connections
        cookie_samesite:  null     # prevents the browser from sending a cookie along with cross-site requests