This is the sixth article in a series about new features in Xdebug 2.3, which was first released on February 22nd.

Xdebug's profiling and trace file capabilities can both be triggered by a cookie, GET or POST variable, as long as you have enabled xdebug.profiler_enable_trigger and/or xdebug.trace_enable_trigger. With these triggers enabled, anybody could initiate a profile run, or trace file, by simply sending the XDEBUG_PROFILE or XDEBUG_TRACE cookies with an HTTP request.

Although you should not really run Xdebug in production, you can see that this is not an optimal solution.

Xdebug 2.3 adds supports for shared secrets for the trace file and profiler triggers through the xdebug.trace_enable_trigger_value and xdebug.profiler_enable_trigger_value. If these settings are changed from their default (empty string), then the value of XDEBUG_PROFILE needs to match the value of xdebug.profiler_enable_trigger_value, and the value of XDEBUG_TRACE needs to match the value of xdebug.trace_enable_trigger_value in order for the profiling to start, or the trace file to be generated.

Often users would use one of the browser extensions for triggering profile runs or enabling tracing, these extensions need to be updated. The author of The easiest Xdebug, Nikita Nikitin, managed to get an updated version out before I could complete this article. It now has support for supplying your own values for XDEBUG_TRACE and XDEBUG_PROFILE:

The other two browser helpers have not been updated yet. I have emailed the author of Chrome's Xdebug helper, and I have filled an issue for Safari's xdebug-helper-for-safari on Github. Let's hope they get updated soon too.

---

Other parts in this series:

• Xdebug 2.3: Moar var_dump()

• Xdebug 2.3: Enhanced xdebug_debug_zval()

• Xdebug 2.3: Munging errors

• Xdebug 2.3: Improvements to Debugging

• Xdebug 2.3: Improvements to Tracing