Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100303 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61171 invoked from network); 25 Aug 2017 20:54:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Aug 2017 20:54:26 -0000 Authentication-Results: pb1.pair.com header.from=lars@strojny.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lars@strojny.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain strojny.net from 46.4.40.248 cause and error) X-PHP-List-Original-Sender: lars@strojny.net X-Host-Fingerprint: 46.4.40.248 milch.schokokeks.org Received: from [46.4.40.248] ([46.4.40.248:45863] helo=milch.schokokeks.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5B/19-34801-18E80A95 for ; Fri, 25 Aug 2017 16:54:25 -0400 Received: from [10.10.10.56] ([2001:a61:20eb:2501:d95c:6b3e:fafe:36dc]) (AUTH: LOGIN lars@schokokeks.org, SSL: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-GCM-SHA384) by milch.schokokeks.org with ESMTPSA; Fri, 25 Aug 2017 22:54:22 +0200 id 0000000000000026.0000000059A08E7E.00006C1D User-Agent: Microsoft-MacOutlook/f.26.0.170822 Date: Fri, 25 Aug 2017 22:54:20 +0200 To: "internals@lists.php.net" Message-ID: <00CA5219-C7C8-49C8-897E-4CC6C3AA2C81@strojny.net> Thread-Topic: [PHP-DEV] [RFC] samesite cookie implementation References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl> <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl> <4a30e3b3-d149-f76c-23fc-79a09a80b044@genkgo.nl> <7a1f1617-5864-ad7c-f439-3c9f87cacfd1@genkgo.nl> In-Reply-To: <7a1f1617-5864-ad7c-f439-3c9f87cacfd1@genkgo.nl> Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3586546462_676222121" Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation From: lars@strojny.net (Lars Strojny) --B_3586546462_676222121 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Hi everybody, =20 I strongly believe this is something we should ship with 7.2. That would gi= ve the ecosystem a 1-year head with a feature that could eventually help era= dicate CSRF. I would argue that this is worth the unorthodox circumnavigatio= n of our policies. Do you think that=E2=80=99s outrageously crazy? =20 cu, Lars =20 On 24.07.17, 10:53, "Frederik Bosch | Genkgo" wrote: =20 LS, =20 Because of the valid arguments to set(raw)cookie and=20 session_set_cookie_params to become lengthly functions, I reconsidered=20 the proposal. It now consists of two possibilities. One is add samesite=20 as argument and second one is to have these functions accept an array of=20 options. One can read the changes in the proposal=20 https://wiki.php.net/rfc/same-site-cookie. =20 When both solutions will be rejected, the floor will be completely open=20 for the proposal of http_cookie_set/remove since we then investigated=20 all the possible solutions to the current set of functions. =20 Best, Frederik =20 =20 =20 On 20-07-17 10:10, Frederik Bosch | Genkgo wrote: =20 LS, =20 All concerns that have been put forward are updated in the RFC=20 document. See https://wiki.php.net/rfc/same-site-cookie. I am going to=20 start the voting on August 1, 2017. Exactly two weeks after I posted=20 the RFC on the internals list. If new concerns are put forward in the=20 meanwhile, I will of course update the RFC. =20 Best, Frederik =20 =20 =20 =20 On 19-07-17 17:06, Andrey Andreev wrote: Hi, =20 Not realizing I was looking at EOL dates, I (unintentionally) provided some wrong info yesterday: =20 On Tue, Jul 18, 2017 at 5:13 PM, Andrey Andreev wrote: - HttpOnly was released with PHP 5.2.0 in January 2011 - just 3 months prio= r to IETF RFC 6265 (April 2011) becoming a standards track. PHP 5.2 was of course released way back, in 2006. My apologies for that. =20 Cheers, Andrey. =20 --=20 =20 =20 Frederik Bosch =20 =20 Partner =20 Genkgo logo Mail: f.bosch@genkgo.nl Web: support.genkgo.com =20 Entrada 123 Amsterdam +31 208 943 931 =20 Genkgo B.V. staat geregistreerd bij de Kamer van Koophandel onder=20 nummer 56501153 =20 --=20 =20 =20 Frederik Bosch =20 =20 Partner =20 Genkgo logo Mail: f.bosch@genkgo.nl Web: support.genkgo.com =20 Entrada 123 Amsterdam +31 208 943 931 =20 Genkgo B.V. staat geregistreerd bij de Kamer van Koophandel onder nummer=20 56501153 =20 --B_3586546462_676222121--