Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
> Le 14 janv. 2023 à 16:14, G. P. B. a écrit :
>
> Hello Internals,
>
> I would like to start the discussion about the Add SameSite cookie
> attribute parameter RFC:
> https://wiki.php.net/rfc/same-site-parameter
>
> This proposes to add an optional same site parameter to the setrawcooki(),
> setcookie() and session_set_cookie_params() that takes a a value a new
> SameSite enum:
>
> enum SameSite {
>case None;
>case Lax;
>case Strict;}
>
>
> Best regards,
>
> George P. Banyard
Hi,
Some technical remarks:
* The new parameter name should be `$samesite` (all lowercase), in order to
match with the casing of the corresponding key in `$options`.
* I think that you should add the case `SameSite::Omit` (which is the current
default). This is not only for BC, but also for FC if, for some reason,
`SameSite: Lax` is replaced by some attribute that supersedes it. Or if
`SameSite: Lax` becomes the default, and therefore redundant. — Having
`SameSite::Omit` instead of `null` would mean that it would be difficult to
miss it by accident.
That said, I am much more interested in being able to add custom cookie
attributes. Back when SameSite was introduced (on the web, not in PHP), I
recall that I had to use some hack in order to include them in my session
cookie (before upgrading to PHP 7.3). The new cookie attributes mentioned by
Nicolas in the other mail are probably too experimental in order to support
them officially, but it could be interesting to be able to include them
nonetheless, e.g. using some `customAttributes` parameter.
—Claude
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
Am 14.01.2023 um 16:14 schrieb G. P. B. :
> I would like to start the discussion about the Add SameSite cookie
> attribute parameter RFC:
> https://wiki.php.net/rfc/same-site-parameter
>
> This proposes to add an optional same site parameter to the setrawcooki(),
> setcookie() and session_set_cookie_params() that takes a a value a new
> SameSite enum:
>
> enum SameSite {
>case None;
>case Lax;
>case Strict;}
Some comments:
- I am not convinced that we should introduce a third way of providing
parameters to setcookie(). I don't think this function is used often enough in
common code to add yet another iteration of the API. Assuming there is 1 to 2
places in your framework using this I don't think many bugs will go unnoticed.
Adding a warning to illegal 'samesite' values in $options would IMHO be enough
if stricter checking is wished for.
- I don't like the camelCase of $sameSite as this is different from all the
other parameters, e.g. $expires_or_options (yes, this is a pseudo-parameter
name, I know) and $httponly. Looking at a couple of functions in the standard
PHP set I didn't see any $camelCase.
- A more generic question: How are Enums handled concerning future additions of
values vs. BC compatibility? What is the migration plan there if one wants to
support both old and new PHP versions?
Regards,
- Chris
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
Hi George,
Hello Internals,
>
> I would like to start the discussion about the Add SameSite cookie
> attribute parameter RFC:
> https://wiki.php.net/rfc/same-site-parameter
>
> This proposes to add an optional same site parameter to the setrawcooki(),
> setcookie() and session_set_cookie_params() that takes a a value a new
> SameSite enum:
>
> enum SameSite {
> case None;
> case Lax;
> case Strict;}
>
There's quite some activity on the HTTP cookies side.
I read about SameParty and Partitioned attributes recently, see:
- https://developer.chrome.com/docs/privacy-sandbox/chips/
- https://github.com/cfredric/sameparty
Maybe we should have a plan that works for these too?
Nicolas
