Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:102957
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76635 invoked from network); 22 Jul 2018 17:55:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Jul 2018 17:55:03 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.221.54 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.221.54 mail-wr1-f54.google.com  
Received: from [209.85.221.54] ([209.85.221.54:43209] helo=mail-wr1-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F9/5F-47674-6F4C45B5 for <internals@lists.php.net>; Sun, 22 Jul 2018 13:55:02 -0400
Received: by mail-wr1-f54.google.com with SMTP id b15-v6so15690306wrv.10
        for <internals@lists.php.net>; Sun, 22 Jul 2018 10:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=6cMrSo3aV1sl+RqdNY1fMfKFDQzql7cHokKFSSz+EQU=;
        b=TpCI8VaTvni8rsAudjGhz+WWi1PCFD5q/0aTrvrs8Ze4xQJqIobwAOYIEZYIRaxIMQ
         Zauwa2OC6aCtfb5rmq68vnEhv4AtGqrwglL8c/SIkKCfBLSvi5mRZbBXCf+xNzOpEKKW
         Qy9evtA0eOPT1rI4kvf2uKQjj+AdTnUG1MEMM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=6cMrSo3aV1sl+RqdNY1fMfKFDQzql7cHokKFSSz+EQU=;
        b=BVghgRaFc0jw3YqZTLH2fP3Uv12UN+NNz/0aUIMbEKZ4gcMjKV2mqhbg+DyaYe1i0R
         5VgZKW0wlef/wEin5qkyZpz6XZqx4J3ShNux0DLqB3LucYFVSUmR5lAPvVoNOkwGMmCL
         6REIdNpfQjTVQ4T2jagTsmzZQPKy55DZxXH0WEvUvWYVTIqZMYDDTYTVBcbKZY9ht+S3
         E3oTjxh94IPZQl1/yCXV5kb7Ky0Xlo30zFJioPLFjGkgRttzVsZ4jeUWRXmBlq+6Jq31
         VCnKp4AsxtYVVNh3pp8+4neAP6gJ1u0WUhrYL2xL6l1ciVoVOX/HCnVKPJNfZvyyHX79
         B3HA==
X-Gm-Message-State: AOUpUlE2NzCGQnaFL43DPAiKlLUooHb7pKEtdGcrIrJFaJ1EsrAktkzs
	TJekUhKrBy2O/ZzKnsNOo+8HBtXyACII0FZ5XYebLg==
X-Google-Smtp-Source: AAOMgpe7VwCb8ewmGX1T81SQRnso8zWI+eW374xYsiMotW5E8wZ94kzpr9jAznDl1eUu9gsPT23CefYJkpbRmASyulk=
X-Received: by 2002:adf:9bc9:: with SMTP id e9-v6mr6827157wrc.240.1532282099628;
 Sun, 22 Jul 2018 10:54:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:add2:0:0:0:0:0 with HTTP; Sun, 22 Jul 2018 10:54:59
 -0700 (PDT)
In-Reply-To: <CAJd4=Yb-Njie8_f+83BtDcu=smxOGL3_5pGtCyu91z81oMja9Q@mail.gmail.com>
References: <a4189866-23ea-4dc5-12a4-a7fbad8e5601@genkgo.nl>
 <1abd260d-ebc4-a062-3381-72485946e8bc@gmail.com> <a55b37e3-268c-f8ab-6545-6cf7a4f537f0@genkgo.nl>
 <CAJd4=Ya67XaX3bwwQn20GUQqEvEVe8XEepRz9+of6h4t4fC_fg@mail.gmail.com>
 <CAPhkiZzSfwMd7TthF7jcWwY+JTnFyamyevnWDZZhGGF_qpEpKA@mail.gmail.com>
 <CAJd4=YZfMgJ7pLwUx_0GqdV+KMCGqYZFhQEDV_2KTMOKiRi6dA@mail.gmail.com>
 <CAPhkiZyHTy8m8N9f531GTMcNNhWO7Rj0U9vtMXzg3FhGyJQ0Vg@mail.gmail.com> <CAJd4=Yb-Njie8_f+83BtDcu=smxOGL3_5pGtCyu91z81oMja9Q@mail.gmail.com>
Date: Sun, 22 Jul 2018 20:54:59 +0300
Message-ID: <CAPhkiZzZ1PfXS+9eEJ_E8Uks28woxcTSf0wV6wj6WakHEH9nPw@mail.gmail.com>
To: =?UTF-8?Q?Pedro_Magalh=C3=A3es?= <mail@pmmaga.net>
Cc: "Frederik Bosch | Genkgo" <f.bosch@genkgo.nl>, Stanislav Malyshev <smalyshev@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
From: narf@devilix.net (Andrey Andreev)

Hi again,

On Sun, Jul 22, 2018 at 6:47 PM, Pedro Magalh=C3=A3es <mail@pmmaga.net> wro=
te:
> On Sun, Jul 22, 2018 at 1:16 PM Andrey Andreev <narf@devilix.net> wrote:
>>
>> But while I didn't quote that part of your
>> message, you did also suggest to apply the same decision to other
>> functions and so I am talking about all of them.
>>
>> I'd be ok with this for session_set_cookie_params() alone, but not for
>> set[raw]cookie().
>
>
> I thought your comment was about  session_set_cookie_params only because
> your reasoning about lifetime (as a relative amount of time) being a PHP
> construct only makes sense there.

I've been unclear about this, indeed. But I don't see why you thought
I was talking about it as a relative value in particular, nor how my
arguments would only make sense for session_set_cookie_params() ... If
anything, that's the one place where my arguments aren't as strong,
because cookie-related settings are only a small part of the session
handler.

The primary motivation for all my thoughts so far has been to follow
the IETF standards as close as possible, and (as opposed to all other
parameters) cookie attributes are *computed* from the
lifetime/expire/expires input, regardless of whether it is an absolute
or relative value. Thus, I would like for that distinction to be
obvious in the function design. That's not all of my reasoning, but
more on that below ...

> So I'm not sure why for set[raw]cookie the expires attribute would be
> treated different from the others? Max-Age is derived from it, but the va=
lue
> you pass to expires will be directly used in the cookie attribute (althou=
gh
> in a different datetime format). Some other attributes are also not used
> verbatim. For instance, 'secure' being true or false also means they
> `secure;` attribute being present or omitted.
> Thinking again from the perspective of the user, I would find it annoying=
 to
> have the expires attribute separate from the others.
>

Well, you only note the different format as a side thing, but it is
still a kind of derivation. As a side note touching on the absolute
vs. relative thing from earlier, I'd argue that if set[raw]cookie()
was designed today, it would accept a relative value (Max-Age wasn't a
thing until PHP 5.5 IIRC, so it wasn't a factor in the original
function design). Anyway ...

If semantic purity is unimportant, I could also ask why by the same
token you don't want $name and $value to be part of the array params?
How are these 2 parameters less of an inconvenience than $expires (or
whatever you call it)? We have to draw the line somewhere and it has
to be clear; turning $expires into an array key/value pair seems
arbitrary to me.

Last, but certainly not least, we talk about $expires here only becase
that's how it's (currently) named in either documentation and/or
reflection. But for all intents and purposes it may as well be named
$fooBar and it wouldn't matter as long as it is a concrete parameter,
whereas an associative array key name is very important. Now I'd have
to remember if it actually is "lifetime", "expire" or "expires" ... or
is it "max-age"? Not only that, but if it is either "expires" or
"max-age", I would rightfully have reasons to believe that the
expected input should be match the actual Set-Cookie attribute instead
of a PHP-specific value.
That's very unintuitive and I believe we have a general consensus on
this list that array parameters are somewhat evil. You have to
remember that the only reason we're doing this here is to avoid
parameter creep with potential for infinity, and nothing else.

And yes, Secure and HTTPonly don't go as is in the Set-Cookie header,
but those are natural edge cases that I'm sure everybody undestands.

Cheers,
Andrey.