Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
> Le 14 janv. 2023 à 16:14, G. P. B. a écrit : > > Hello Internals, > > I would like to start the discussion about the Add SameSite cookie > attribute parameter RFC: > https://wiki.php.net/rfc/same-site-parameter > > This proposes to add an optional same site parameter to the setrawcooki(), > setcookie() and session_set_cookie_params() that takes a a value a new > SameSite enum: > > enum SameSite { >case None; >case Lax; >case Strict;} > > > Best regards, > > George P. Banyard Hi, Some technical remarks: * The new parameter name should be `$samesite` (all lowercase), in order to match with the casing of the corresponding key in `$options`. * I think that you should add the case `SameSite::Omit` (which is the current default). This is not only for BC, but also for FC if, for some reason, `SameSite: Lax` is replaced by some attribute that supersedes it. Or if `SameSite: Lax` becomes the default, and therefore redundant. — Having `SameSite::Omit` instead of `null` would mean that it would be difficult to miss it by accident. That said, I am much more interested in being able to add custom cookie attributes. Back when SameSite was introduced (on the web, not in PHP), I recall that I had to use some hack in order to include them in my session cookie (before upgrading to PHP 7.3). The new cookie attributes mentioned by Nicolas in the other mail are probably too experimental in order to support them officially, but it could be interesting to be able to include them nonetheless, e.g. using some `customAttributes` parameter. —Claude -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
Am 14.01.2023 um 16:14 schrieb G. P. B. : > I would like to start the discussion about the Add SameSite cookie > attribute parameter RFC: > https://wiki.php.net/rfc/same-site-parameter > > This proposes to add an optional same site parameter to the setrawcooki(), > setcookie() and session_set_cookie_params() that takes a a value a new > SameSite enum: > > enum SameSite { >case None; >case Lax; >case Strict;} Some comments: - I am not convinced that we should introduce a third way of providing parameters to setcookie(). I don't think this function is used often enough in common code to add yet another iteration of the API. Assuming there is 1 to 2 places in your framework using this I don't think many bugs will go unnoticed. Adding a warning to illegal 'samesite' values in $options would IMHO be enough if stricter checking is wished for. - I don't like the camelCase of $sameSite as this is different from all the other parameters, e.g. $expires_or_options (yes, this is a pseudo-parameter name, I know) and $httponly. Looking at a couple of functions in the standard PHP set I didn't see any $camelCase. - A more generic question: How are Enums handled concerning future additions of values vs. BC compatibility? What is the migration plan there if one wants to support both old and new PHP versions? Regards, - Chris -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
Hi George, Hello Internals, > > I would like to start the discussion about the Add SameSite cookie > attribute parameter RFC: > https://wiki.php.net/rfc/same-site-parameter > > This proposes to add an optional same site parameter to the setrawcooki(), > setcookie() and session_set_cookie_params() that takes a a value a new > SameSite enum: > > enum SameSite { > case None; > case Lax; > case Strict;} > There's quite some activity on the HTTP cookies side. I read about SameParty and Partitioned attributes recently, see: - https://developer.chrome.com/docs/privacy-sandbox/chips/ - https://github.com/cfredric/sameparty Maybe we should have a plan that works for these too? Nicolas