Skip to content

Commit f3ec431

Browse files
committed
docs
1 parent 40ecf51 commit f3ec431

1 file changed

Lines changed: 19 additions & 0 deletions

File tree

docs/1-essentials/01-routing.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -875,6 +875,25 @@ final readonly class ErrorResponseProcessor implements ResponseProcessor
875875
}
876876
```
877877

878+
## Cookie management
879+
880+
### Configuration
881+
882+
By default, Tempest encrypts all cookies it sets, and discards any incoming cookie it cannot decrypt.
883+
This behaviour can be configured by creating a `cookie.config.php` file [anywhere](../1-essentials/06-configuration.md#configuration-files).
884+
885+
```php app/cookie.config.php
886+
use Tempest\Http\Cookie\CookieConfig;
887+
888+
return new CookieConfig(
889+
plaintextCookies: ['darkmode'],
890+
);
891+
```
892+
893+
**`discardUnencryptedCookies`** — When `true` (default), any incoming cookie that Tempest cannot decrypt will be discarded and the browser instructed to delete it. Set to `false` to silently ignore unencrypted cookies instead, leaving them intact in the browser. Note that either way, unencrypted cookies will not be accessible in the request object unless whitelisted via `plaintextCookies`.
894+
895+
**`plaintextCookies`** — A list of cookie names that Tempest will not attempt to encrypt or decrypt. Whitelisted cookies are preserved in the browser, accessible in the request object, and sent to the browser in plaintext. Useful for cookies set by third-party services such as reverse proxies or CDNs, or cookies that must be readable by JavaScript (e.g. UI preferences like dark mode).
896+
878897
## Session management
879898

880899
Sessions in Tempest are managed by the {b`Tempest\Http\Session\Session`} class. It can be injected anywhere needed. As soon as the {b`Tempest\Http\Session\Session`} is injected, it is started behind the scenes.

0 commit comments

Comments
 (0)