# see https://symfony.com/doc/current/reference/configuration/framework.html framework: secret: '%env(APP_SECRET)%' # Note that the session will be started ONLY if you read or write from it. session: # Same-origin SPA cookie session: not readable by JS, sent on same-site # navigations. cookie_secure: auto → Secure flag only over HTTPS (prod), # so local HTTP dev still works. cookie_httponly: true cookie_samesite: lax cookie_secure: auto #esi: true #fragments: true when@test: framework: test: true session: storage_factory_id: session.storage.factory.mock_file