symfony
diff --git a/‎_build/redirection_map
Lines changed: 2 additions & 0 deletions b/‎_build/redirection_map
Lines changed: 2 additions & 0 deletions
diff --git a/‎components/ldap.rst
Lines changed: 10 additions & 0 deletions b/‎components/ldap.rst
Lines changed: 10 additions & 0 deletions
diff --git a/‎controller.rst
Lines changed: 2 additions & 5 deletions b/‎controller.rst
Lines changed: 2 additions & 5 deletions
diff --git a/‎http_cache/varnish.rst
Lines changed: 1 addition & 1 deletion b/‎http_cache/varnish.rst
Lines changed: 1 addition & 1 deletion
diff --git a/‎reference/configuration/framework.rst
Lines changed: 0 additions & 1 deletion b/‎reference/configuration/framework.rst
Lines changed: 0 additions & 1 deletion
diff --git a/‎reference/configuration/security.rst
Lines changed: 25 additions & 0 deletions b/‎reference/configuration/security.rst
Lines changed: 25 additions & 0 deletions
diff --git a/‎reference/constraints/UniqueEntity.rst
Lines changed: 7 additions & 4 deletions b/‎reference/constraints/UniqueEntity.rst
Lines changed: 7 additions & 4 deletions
diff --git a/‎security/csrf.rst
Lines changed: 2 additions & 1 deletion b/‎security/csrf.rst
Lines changed: 2 additions & 1 deletion
diff --git a/‎session.rst
Lines changed: 134 additions & 6 deletions b/‎session.rst
Lines changed: 134 additions & 6 deletions
diff --git a/‎session/avoid_session_start.rst
Lines changed: 0 additions & 38 deletions b/‎session/avoid_session_start.rst
Lines changed: 0 additions & 38 deletions
diff --git a/‎session/sessions_directory.rst
Lines changed: 0 additions & 54 deletions b/‎session/sessions_directory.rst
Lines changed: 0 additions & 54 deletions
@@ -409,3 +409,5 @@
 /profiler/profiling_data /profiler
 /profiler/wdt_follow_ajax /profiler
 /security/entity_provider /security/user_provider
+/session/avoid_session_start /session
+/session/sessions_directory /session
@@ -103,6 +103,16 @@ array, you may use the
 
     // Do something with the results array
 
+By default, LDAP queries use the ``Symfony\Component\Ldap\Adapter::SCOPE_SUB``
+scope, which corresponds to the ``LDAP_SCOPE_SUBTREE`` scope of the
+:phpfunction:`ldap_search` function. You can also use ``SCOPE_BASE`` (related
+to the ``LDAP_SCOPE_BASE`` scope of :phpfunction:`ldap_read`) and ``SCOPE_ONE``
+(related to the ``LDAP_SCOPE_ONELEVEL`` scope of :phpfunction:`ldap_list`)::
+
+    use Symfony\Component\Ldap\Adapter;
+
+    $query = $ldap->query('dc=symfony,dc=com', '...', ['scope' => Adapter::SCOPE_ONE]);
+
 Creating or Updating Entries
 ----------------------------
 
 
@@ -405,16 +405,13 @@ To get the session, add an argument and type-hint it with
 
 Stored attributes remain in the session for the remainder of that user's session.
 
-.. tip::
-
-    Every ``SessionInterface`` implementation is supported. If you have your
-    own implementation, type-hint this in the argument instead.
-
 For more info, see :doc:`/session`.
 
 .. index::
    single: Session; Flash messages
 
+.. _flash-messages:
+
 Flash Messages
 ~~~~~~~~~~~~~~
 
 
@@ -63,7 +63,7 @@ authentication, have Varnish remove the corresponding header from requests to
 at least for some parts of the site, e.g. when using forms with
 :doc:`CSRF Protection </security/csrf>`. In this situation, make sure to
-:doc:`only start a session when actually needed </session/avoid_session_start>`
+:ref:`only start a session when actually needed <session-avoid-start>`
 and clear the session when it is no longer needed. Alternatively, you can look
 into :ref:`caching pages that contain CSRF protected forms <caching-pages-that-contain-csrf-protected-forms>`.
 
 
@@ -931,7 +931,6 @@ save_path
 
 This determines the argument to be passed to the save handler. If you choose
 the default file handler, this is the path where the session files are created.
-For more information, see :doc:`/session/sessions_directory`.
 
 You can also set this value to the ``save_path`` of your ``php.ini`` by
 setting the value to ``null``:
 
@@ -181,6 +181,31 @@ success_handler
 The service ID used for handling a successful logout. The service must implement
 :class:`Symfony\\Component\\Security\\Http\\Logout\\LogoutSuccessHandlerInterface`.
 
+.. _reference-security-logout-csrf:
+
+csrf_parameter
+~~~~~~~~~~~~~~
+
+**type**: ``string`` **default**: ``'_csrf_token'``
+
+The name of the parameter that stores the CSRF token value.
+
+csrf_token_generator
+~~~~~~~~~~~~~~~~~~~~
+
+**type**: ``string`` **default**: ``null``
+
+The ``id`` of the service used to generate the CSRF tokens. Symfony provides a
+default service whose ID is ``security.csrf.token_manager``.
+
+csrf_token_id
+~~~~~~~~~~~~~
+
+**type**: ``string`` **default**: ``'logout'``
+
+An arbitrary string used to generate the token value (and check its validity
+afterwards).
+
 .. _reference-security-ldap:
 
 LDAP functionality
 
@@ -169,11 +169,13 @@ not need to be used.
 repositoryMethod
 ~~~~~~~~~~~~~~~~
 
-**type**: ``string`` **default**: ``findBy()``
+**type**: ``string`` **default**: ``findBy``
 
-The name of the repository method to use for making the query to determine
-the uniqueness. If it's left blank, the ``findBy()`` method will be used.
-This method should return a countable result.
+The name of the repository method used to determine the uniqueness. If it's left
+blank, ``findBy()`` will be used. The method receives as its argument a
+``fieldName => value`` associative array (where ``fieldName`` is each of the
+fields configured in the ``fields`` option). The method should return a
+`countable PHP variable`_.
 
 entityClass
 ~~~~~~~~~~~
@@ -297,3 +299,4 @@ also has a ``null`` value, validation would fail.
 .. include:: /reference/constraints/_payload-option.rst.inc
 
 .. _`race conditions`: https://en.wikipedia.org/wiki/Race_condition
+.. _`countable PHP variable`: https://php.net/manual/function.is-countable.php
@@ -121,7 +121,8 @@ CSRF Protection in Login Forms
 ------------------------------
 
 See :doc:`/security/form_login_setup` for a login form that is protected from
-CSRF attacks.
+CSRF attacks. You can also configure the
+:ref:`CSRF protection for the logout action <reference-security-logout-csrf>`.
 
 .. _csrf-protection-in-html-forms:
 
 
@@ -1,21 +1,149 @@
 Sessions
 ========
 
-Symfony provides a nice session object that you can use to store information
-about the user between requests.
+Symfony provides a session object and several utilities that you can use to
+store information about the user between requests.
 
-To see how to use the session, read :ref:`session-intro`.
+Configuration
+-------------
+
+Sessions are provided by the `HttpFoundation component`_, which is included in
+all Symfony applications, no matter how you installed it. Before using the
+sessions, check their configuration:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/framework.yaml
+        framework:
+            session:
+                # enables the support of sessions in the app
+                enabled: true
+
+                # ID of the service used for session storage
+                handler_id: session.handler.native_file
+
+                # the directory where session metadata is stored
+                save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'
+
+    .. code-block:: xml
+
+        <!-- config/packages/framework.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                http://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <!--
+                    enabled: enables the support of sessions in the app
+                    handler-id: ID of the service used for session storage
+                    save_path: the directory where session metadata is stored
+                -->
+                <framework:session enabled="true"
+                                   handler-id="session.handler.native_file"
+                                   save-path="%kernel.project_dir%/var/sessions/%kernel.environment%" />
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/framework.php
+        $container->loadFromExtension('framework', [
+            'session' => [
+                // enables the support of sessions in the app
+                'enabled' => true,
+                // ID of the service used for session storage
+                'handler_id' => 'session.handler.native_file',
+                // the directory where session metadata is stored
+                'save_path' => '%kernel.project_dir%/var/sessions/%kernel.environment%',
+            ],
+        ]);
+
+Check out the Symfony config reference to learn more about the other available
+:ref:`Session configuration options <config-framework-session>`. Also, if you
+prefer to store session metadata in the database instead of the filesystem,
+check out this article: :doc:`/doctrine/pdo_session_storage`.
+
+Basic Usage
+-----------
+
+Symfony provides a session service that is injected in your services and
+controllers if you type-hint an argument with
+:class:`Symfony\\Component\\HttpFoundation\\Session\\SessionInterface`::
+
+    use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
+    class SomeService
+    {
+        private $session;
+
+        public function __construct(SessionInterface $session)
+        {
+            $this->session = $session;
+        }
+
+        public function someMethod()
+        {
+            // stores an attribute in the session for later reuse
+            $session->set('attribute-name', 'attribute-value');
+
+            // gets an attribute by name
+            $foo = $session->get('foo');
+
+            // uses a default value if the attribute doesn't exist
+            $filters = $session->get('filters', []);
+
+            // ...
+        }
+    }
+
+Stored attributes remain in the session for the remainder of that user's session.
+
+.. tip::
+
+    Every ``SessionInterface`` implementation is supported. If you have your
+    own implementation, type-hint this in the argument instead.
+
+.. _session-avoid-start:
+
+Avoid Starting Sessions for Anonymous Users
+-------------------------------------------
+
+Sessions are automatically started whenever you read, write or even check for
+the existence of data in the session. This may hurt your application performance
+because all users will receive a session cookie. In order to prevent that, you
+must *completely* avoid accessing the session.
+
+For example, if your templates include some code to display the
+:ref:`flash messages <flash-messages>`, sessions will start even if the user
+is not logged in and even if you haven't created any flash messages. To avoid
+this behavior, add a check before trying to access the flash messages:
+
+.. code-block:: html+twig
+
+    {# this check prevents starting a session when there are no flash messages #}
+    {% if app.request.hasPreviousSession %}
+        {% for message in app.flashes('notice') %}
+            <div class="flash-notice">
+                {{ message }}
+            </div>
+        {% endfor %}
+    {% endif %}
 
 More about Sessions
 -------------------
 
 .. toctree::
     :maxdepth: 1
 
-    session/sessions_directory
-    session/avoid_session_start
+    /doctrine/pdo_session_storage
     session/locale_sticky_session
     session/php_bridge
     session/proxy_examples
 
-* :doc:`/doctrine/pdo_session_storage`
+.. _`HttpFoundation component`: https://symfony.com/components/HttpFoundation