symfony
diff --git a/‎_build/redirection_map
Lines changed: 2 additions & 0 deletions b/‎_build/redirection_map
Lines changed: 2 additions & 0 deletions
diff --git a/‎components/ldap.rst
Lines changed: 10 additions & 0 deletions b/‎components/ldap.rst
Lines changed: 10 additions & 0 deletions
diff --git a/‎controller.rst
Lines changed: 2 additions & 5 deletions b/‎controller.rst
Lines changed: 2 additions & 5 deletions
diff --git a/‎http_cache/varnish.rst
Lines changed: 1 addition & 1 deletion b/‎http_cache/varnish.rst
Lines changed: 1 addition & 1 deletion
diff --git a/‎reference/configuration/framework.rst
Lines changed: 0 additions & 1 deletion b/‎reference/configuration/framework.rst
Lines changed: 0 additions & 1 deletion
diff --git a/‎reference/configuration/security.rst
Lines changed: 25 additions & 0 deletions b/‎reference/configuration/security.rst
Lines changed: 25 additions & 0 deletions
diff --git a/‎reference/constraints/UniqueEntity.rst
Lines changed: 7 additions & 4 deletions b/‎reference/constraints/UniqueEntity.rst
Lines changed: 7 additions & 4 deletions
diff --git a/‎security/csrf.rst
Lines changed: 2 additions & 1 deletion b/‎security/csrf.rst
Lines changed: 2 additions & 1 deletion
diff --git a/‎session.rst
Lines changed: 134 additions & 6 deletions b/‎session.rst
Lines changed: 134 additions & 6 deletions
diff --git a/‎session/avoid_session_start.rst
Lines changed: 0 additions & 38 deletions b/‎session/avoid_session_start.rst
Lines changed: 0 additions & 38 deletions
diff --git a/‎session/sessions_directory.rst
Lines changed: 0 additions & 54 deletions b/‎session/sessions_directory.rst
Lines changed: 0 additions & 54 deletions
@@ -409,3 +409,5 @@
 /profiler/profiling_data /profiler
 /profiler/wdt_follow_ajax /profiler
 /security/entity_provider /security/user_provider
+/session/avoid_session_start /session
+/session/sessions_directory /session
@@ -103,6 +103,16 @@ array, you may use the
 
     // Do something with the results array
 
+By default, LDAP queries use the ``Symfony\Component\Ldap\Adapter::SCOPE_SUB``
+scope, which corresponds to the ``LDAP_SCOPE_SUBTREE`` scope of the
+:phpfunction:`ldap_search` function. You can also use ``SCOPE_BASE`` (related
+to the ``LDAP_SCOPE_BASE`` scope of :phpfunction:`ldap_read`) and ``SCOPE_ONE``
+(related to the ``LDAP_SCOPE_ONELEVEL`` scope of :phpfunction:`ldap_list`)::
+
+    use Symfony\Component\Ldap\Adapter;
+
+    $query = $ldap->query('dc=symfony,dc=com', '...', ['scope' => Adapter::SCOPE_ONE]);
+
 Creating or Updating Entries
 ----------------------------
 
 
@@ -405,16 +405,13 @@ To get the session, add an argument and type-hint it with
 
 Stored attributes remain in the session for the remainder of that user's session.
 
-.. tip::
-
-    Every ``SessionInterface`` implementation is supported. If you have your
-    own implementation, type-hint this in the argument instead.
-
 For more info, see :doc:`/session`.
 
 .. index::
    single: Session; Flash messages
 
+.. _flash-messages:
+
 Flash Messages
 ~~~~~~~~~~~~~~
 
 
@@ -63,7 +63,7 @@ authentication, have Varnish remove the corresponding header from requests to
 prevent clients from bypassing the cache. In practice, you will need sessions
 at least for some parts of the site, e.g. when using forms with
 :doc:`CSRF Protection </security/csrf>`. In this situation, make sure to
-:doc:`only start a session when actually needed </session/avoid_session_start>`
+:ref:`only start a session when actually needed <session-avoid-start>`
 and clear the session when it is no longer needed. Alternatively, you can look
 into :ref:`caching pages that contain CSRF protected forms <caching-pages-that-contain-csrf-protected-forms>`.
 
 
@@ -931,7 +931,6 @@ save_path
 
 This determines the argument to be passed to the save handler. If you choose
 the default file handler, this is the path where the session files are created.
-For more information, see :doc:`/session/sessions_directory`.
 
 You can also set this value to the ``save_path`` of your ``php.ini`` by
 setting the value to ``null``:
 
@@ -181,6 +181,31 @@ success_handler
 The service ID used for handling a successful logout. The service must implement
 :class:`Symfony\\Component\\Security\\Http\\Logout\\LogoutSuccessHandlerInterface`.
 
+.. _reference-security-logout-csrf:
+
+csrf_parameter
+~~~~~~~~~~~~~~
+
+**type**: ``string`` **default**: ``'_csrf_token'``
+
+The name of the parameter that stores the CSRF token value.
+
+csrf_token_generator
+~~~~~~~~~~~~~~~~~~~~
+
+**type**: ``string`` **default**: ``null``
+
+The ``id`` of the service used to generate the CSRF tokens. Symfony provides a
+default service whose ID is ``security.csrf.token_manager``.
+
+csrf_token_id
+~~~~~~~~~~~~~
+
+**type**: ``string`` **default**: ``'logout'``
+
+An arbitrary string used to generate the token value (and check its validity
+afterwards).
+
 .. _reference-security-ldap:
 
 LDAP functionality
 
@@ -169,11 +169,13 @@ not need to be used.
 repositoryMethod
 ~~~~~~~~~~~~~~~~
 
-**type**: ``string`` **default**: ``findBy()``
+**type**: ``string`` **default**: ``findBy``
 
-The name of the repository method to use for making the query to determine
-the uniqueness. If it's left blank, the ``findBy()`` method will be used.
-This method should return a countable result.
+The name of the repository method used to determine the uniqueness. If it's left
+blank, ``findBy()`` will be used. The method receives as its argument a
+``fieldName => value`` associative array (where ``fieldName`` is each of the
+fields configured in the ``fields`` option). The method should return a
+`countable PHP variable`_.
 
 entityClass
 ~~~~~~~~~~~
@@ -297,3 +299,4 @@ also has a ``null`` value, validation would fail.
 .. include:: /reference/constraints/_payload-option.rst.inc
 
 .. _`race conditions`: https://en.wikipedia.org/wiki/Race_condition
+.. _`countable PHP variable`: https://php.net/manual/function.is-countable.php
@@ -121,7 +121,8 @@ CSRF Protection in Login Forms
 ------------------------------
 
 See :doc:`/security/form_login_setup` for a login form that is protected from
-CSRF attacks.
+CSRF attacks. You can also configure the
+:ref:`CSRF protection for the logout action <reference-security-logout-csrf>`.
 
 .. _csrf-protection-in-html-forms:
 
 
@@ -1,21 +1,149 @@
 Sessions
 ========
 
-Symfony provides a nice session object that you can use to store information
-about the user between requests.
+Symfony provides a session object and several utilities that you can use to
+store information about the user between requests.
 
-To see how to use the session, read :ref:`session-intro`.
+Configuration
+-------------
+
+Sessions are provided by the `HttpFoundation component`_, which is included in
+all Symfony applications, no matter how you installed it. Before using the
+sessions, check their configuration:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/framework.yaml
+        framework:
+            session:
+                # enables the support of sessions in the app
+                enabled: true
+
+                # ID of the service used for session storage
+                handler_id: session.handler.native_file
+
+                # the directory where session metadata is stored
+                save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'
+
+    .. code-block:: xml
+
+        <!-- config/packages/framework.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <!--
+                    enabled: enables the support of sessions in the app
+                    handler-id: ID of the service used for session storage
+                    save_path: the directory where session metadata is stored
+                -->
+                <framework:session enabled="true"
+                                   handler-id="session.handler.native_file"
+                                   save-path="%kernel.project_dir%/var/sessions/%kernel.environment%" />
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/framework.php
+        $container->loadFromExtension('framework', [
+            'session' => [
+                // enables the support of sessions in the app
+                'enabled' => true,
+                // ID of the service used for session storage
+                'handler_id' => 'session.handler.native_file',
+                // the directory where session metadata is stored
+                'save_path' => '%kernel.project_dir%/var/sessions/%kernel.environment%',
+            ],
+        ]);
+
+Check out the Symfony config reference to learn more about the other available
+:ref:`Session configuration options <config-framework-session>`. Also, if you
+prefer to store session metadata in the database instead of the filesystem,
+check out this article: :doc:`/doctrine/pdo_session_storage`.
+
+Basic Usage
+-----------
+
+Symfony provides a session service that is injected in your services and
+controllers if you type-hint an argument with
+:class:`Symfony\\Component\\HttpFoundation\\Session\\SessionInterface`::
+
+    use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
+    class SomeService
+    {
+        private $session;
+
+        public function __construct(SessionInterface $session)
+        {
+            $this->session = $session;
+        }
+
+        public function someMethod()
+        {
+            // stores an attribute in the session for later reuse
+            $session->set('attribute-name', 'attribute-value');
+
+            // gets an attribute by name
+            $foo = $session->get('foo');
+
+            // uses a default value if the attribute doesn't exist
+            $filters = $session->get('filters', []);
+
+            // ...
+        }
+    }
+
+Stored attributes remain in the session for the remainder of that user's session.
+
+.. tip::
+
+    Every ``SessionInterface`` implementation is supported. If you have your
+    own implementation, type-hint this in the argument instead.
+
+.. _session-avoid-start:
+
+Avoid Starting Sessions for Anonymous Users
+-------------------------------------------
+
+Sessions are automatically started whenever you read, write or even check for
+the existence of data in the session. This may hurt your application performance
+because all users will receive a session cookie. In order to prevent that, you
+must *completely* avoid accessing the session.
+
+For example, if your templates include some code to display the
+:ref:`flash messages <flash-messages>`, sessions will start even if the user
+is not logged in and even if you haven't created any flash messages. To avoid
+this behavior, add a check before trying to access the flash messages:
+
+.. code-block:: html+twig
+
+    {# this check prevents starting a session when there are no flash messages #}
+    {% if app.request.hasPreviousSession %}
+        {% for message in app.flashes('notice') %}
+            <div class="flash-notice">
+                {{ message }}
+            </div>
+        {% endfor %}
+    {% endif %}
 
 More about Sessions
 -------------------
 
 .. toctree::
     :maxdepth: 1
 
-    session/sessions_directory
-    session/avoid_session_start
+    /doctrine/pdo_session_storage
     session/locale_sticky_session
     session/php_bridge
     session/proxy_examples
 
-* :doc:`/doctrine/pdo_session_storage`
+.. _`HttpFoundation component`: https://symfony.com/components/HttpFoundation