Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100323 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18261 invoked from network); 28 Aug 2017 21:16:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Aug 2017 21:16:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=lars@strojny.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=lars@strojny.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain strojny.net from 46.4.40.248 cause and error) X-PHP-List-Original-Sender: lars@strojny.net X-Host-Fingerprint: 46.4.40.248 milch.schokokeks.org Received: from [46.4.40.248] ([46.4.40.248:59719] helo=milch.schokokeks.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 95/14-34801-61884A95 for ; Mon, 28 Aug 2017 17:16:07 -0400 Received: from [10.10.10.56] ([2001:a61:20fa:b901:7c01:ee83:fee8:6254]) (AUTH: LOGIN lars@schokokeks.org, SSL: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-GCM-SHA384) by milch.schokokeks.org with ESMTPSA; Mon, 28 Aug 2017 23:16:03 +0200 id 0000000000000024.0000000059A48813.00002C69 User-Agent: Microsoft-MacOutlook/f.26.0.170822 Date: Mon, 28 Aug 2017 23:16:01 +0200 To: Sara Golemon , Frederik Bosch | Genkgo CC: Andrey Andreev , Dan Ackroyd , "internals@lists.php.net" Message-ID: <0B1B9957-6282-4AD9-82EA-3590DEF89114@strojny.net> Thread-Topic: [PHP-DEV] [VOTE] Same Site Cookie RFC References: <9422cefb-4dda-9a1d-8856-46ad587f6f60@genkgo.nl> In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3586806963_219288041" Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC From: lars@strojny.net (Lars Strojny) --B_3586806963_219288041 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Hi Sara, hi Frederik, =20 Thinking more about this I came to change my vote (and for that reason I=E2=80=99= ll take back the suggestion to include it into 7.2): =20 The array API is the better API and allows for healthier future growth so w= e should pursue that option=20 There is a (very ugly) workaround to set a same site policy by misusing the= =E2=80=9Csession.cookie_path=E2=80=9D or =E2=80=9Csession.cookie_domain=E2=80=9D setting (e.g. set = it to =E2=80=9C/; SameSite=3DStrict=E2=80=9D, you are welcome, Internet). =20 cu, Lars =20 =20 On 28.08.17, 18:20, "Sara Golemon" wrote: =20 On Mon, Aug 28, 2017 at 12:10 PM, Frederik Bosch | Genkgo wrote: Little misunderstanding then. I agree we can better have this PHP 7.3 and t= ake some time for it. Current votes also suggest that we should go for the a= rray argument implementation. Since there is only a PR for the extra argumen= t implementation, it will also take time to have the PR for the array argume= nt implementation ready. Taken that into account, we should not want this in= 7.2. Indeed, yes. Assuming the votes continue on this sharp lean towards the arr= ay option, we should just forget all notions of trying to sneak this into 7.= 2. =20 Direct calls in 7.2 and earlier can easily fall back on calling header('Set= -Cookie: ...'); manually, while sessions support is slightly more complex, b= ut still doable from userspace. I expect if need is deemed high for this, a= drop-in composer package can do 90% of the work automatically. -Sara=20 --B_3586806963_219288041--