Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:102965
Return-Path: <theodorejb@outlook.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19794 invoked from network); 24 Jul 2018 19:38:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jul 2018 19:38:41 -0000
Authentication-Results: pb1.pair.com header.from=theodorejb@outlook.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=theodorejb@outlook.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain outlook.com designates 40.92.5.73 as permitted sender)
X-PHP-List-Original-Sender: theodorejb@outlook.com
X-Host-Fingerprint: 40.92.5.73 mail-oln040092005073.outbound.protection.outlook.com  
Received: from [40.92.5.73] ([40.92.5.73:45500] helo=NAM02-SN1-obe.outbound.protection.outlook.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7F/7B-12660-F30875B5 for <internals@lists.php.net>; Tue, 24 Jul 2018 15:38:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=H0fypzegk2OrGWMtIYaK2+C3thK6CyQUyZg3e6TPa+U=;
 b=pp1V0Q0gPXtsbTgHAheEJtyxBoYtwQR/GR27ZZjXsKjZkt7c1Q4aL3mgrZ6m1Dmi1KQl8xK4V/LSS5WtZslxNQL0cYaeemixrfUVajK/TvO85mLW7eFXYxDKomz+ePLXphd66gwVN3EiXOHGWBVBsoO6GcCAcV5zr9GaLTRnYJ1WvEm+a52QU2d3VFCKCyoP8gJo6ORb5ovp6E2YSCtiM4EPDDw6H49xzbBKHX0vWfVwOibafGJGeHtxhm9RC0SIKzcgPCHfTlIcvd+KVJoki0uQ2y0/6VMTLVqXINWmvvTqryeuK+NvZsfaKJbkdWh5DfKDAbWmwFHBEDMCflg2RQ==
Received: from SN1NAM02FT055.eop-nam02.prod.protection.outlook.com
 (10.152.72.51) by SN1NAM02HT077.eop-nam02.prod.protection.outlook.com
 (10.152.72.178) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.995.12; Tue, 24
 Jul 2018 19:38:36 +0000
Received: from CY4PR18MB1048.namprd18.prod.outlook.com (10.152.72.58) by
 SN1NAM02FT055.mail.protection.outlook.com (10.152.72.174) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.995.12 via Frontend Transport; Tue, 24 Jul 2018 19:38:36 +0000
Received: from CY4PR18MB1048.namprd18.prod.outlook.com
 ([fe80::c143:f34c:ec6c:f189]) by CY4PR18MB1048.namprd18.prod.outlook.com
 ([fe80::c143:f34c:ec6c:f189%4]) with mapi id 15.20.0973.022; Tue, 24 Jul 2018
 19:38:36 +0000
To: =?iso-8859-1?Q?Pedro_Magalh=E3es?= <mail@pmmaga.net>, Andrey Andreev
	<narf@devilix.net>
CC: PHP internals <internals@lists.php.net>
Thread-Topic: [PHP-DEV] [VOTE] Same Site Cookie RFC
Thread-Index: AQHUHtp4gK70ILCqUkm6u5IF5DFjkKSaRgYAgAAPcICAANh/gIAAOwgAgAAjhICAAw7ygIAAIEus
Date: Tue, 24 Jul 2018 19:38:36 +0000
Message-ID: <CY4PR18MB10486AA6231F299BF9B0A843DE550@CY4PR18MB1048.namprd18.prod.outlook.com>
References: <a4189866-23ea-4dc5-12a4-a7fbad8e5601@genkgo.nl>
 <1abd260d-ebc4-a062-3381-72485946e8bc@gmail.com>
 <a55b37e3-268c-f8ab-6545-6cf7a4f537f0@genkgo.nl>
 <CAJd4=Ya67XaX3bwwQn20GUQqEvEVe8XEepRz9+of6h4t4fC_fg@mail.gmail.com>
 <CAPhkiZzSfwMd7TthF7jcWwY+JTnFyamyevnWDZZhGGF_qpEpKA@mail.gmail.com>
 <CAJd4=YZfMgJ7pLwUx_0GqdV+KMCGqYZFhQEDV_2KTMOKiRi6dA@mail.gmail.com>
 <CAPhkiZyHTy8m8N9f531GTMcNNhWO7Rj0U9vtMXzg3FhGyJQ0Vg@mail.gmail.com>
 <CAJd4=Yb-Njie8_f+83BtDcu=smxOGL3_5pGtCyu91z81oMja9Q@mail.gmail.com>
 <CAPhkiZzZ1PfXS+9eEJ_E8Uks28woxcTSf0wV6wj6WakHEH9nPw@mail.gmail.com>,<CAJd4=YaJHQe0v6b9LfbO4tkrjCL18n7pa322vn2WWHBmK_rZRA@mail.gmail.com>
In-Reply-To: <CAJd4=YaJHQe0v6b9LfbO4tkrjCL18n7pa322vn2WWHBmK_rZRA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:DAA8794B4753E6B9B939AE3EE6272D48376778F515C5194D4E9829218EC981FE;UpperCasedChecksum:D74B2E053C29E484EA38D14478E66CB412299EF0495CD77E5EBD696576DF6FD1;SizeAsReceived:7759;Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [1NQpMITkXx7wGrzhVQNPehPnKpaPbLCq]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;SN1NAM02HT077;6:0RgDeTKcCEgDGuqmrGfe1ismfjDWcWnO0WSSld8WBAD+IT9FOY3f4N95AiaaJNJuzfGWmVSXd8laKfYd9DYfhKfdABU1oH9PZg6CtuH19zdl+qdvRtM508c8mgNBBJDirg514ArfN3sYz437aQGBhCDbYCJFvJP//51erDFt2gVY5XIlwmDM4AIJpEKI1lmLCza1xJJQqnoPmJmftHHD5MUQ25uyFgyOeuMLYrBrsDs/EJmGihqsZp8un1KbDW7rq6IuCIzpzxYC3yRJr/olIcEMe793HRugi6FdrYA77TSAMkSJGOT0q5yS8CXOZBWWXhJBhkuT73YtOjRK1fdUnxs4hBDDJFVVmHje4bLM4SGT49TNYnge1Mqjbe7rp3aXNj+R2jjgQjPz7Si9NJB4HAfzFM/QKGMlrij7qDb1Bma1fAqa/JPtwbiqcGD7CFF6I7pjERI/J6cNOEljFG2zgA==;5:JzlJIm6S+TK5kWlr2ckVFymcwYIZvKh0jkE3e2fvIgUXukzajEBvIN1u41h/TF5lPIZTpbHkmDIan8Z8knvu7qQXU9Y2anOKhGfiKyAcoSmdHOmNIkZ47rE9+YDkwk3UVIDNb+dCbIEs9ceHDqbj88h9QS9tuerh2H020Neit5k=;7:Kt0W4d6zvU+pvgszEX239dLCpdQ50yzofQ0ksXiMT19pyerY2BK0FndFHZTtLyfBUW4MXVwiuHqhw1oImSPYH6JBXeNawB7lNC8n2fQZGpSClle/6zix2gtxcnKZpWjm+s+SLD+rt/usopjmjSE36igInnNCi2mTXd/RV3fvfDTbtMh2SlABUr8mIiwUxkhGXXUQA7lJIlKiSTFR7NhWTEd2cjm/alQ4srHBXzw+H2VGj4iegFKHmmX0tXpjmx3U
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125500)(1701031045);SRVR:SN1NAM02HT077;
x-ms-traffictypediagnostic: SN1NAM02HT077:
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(82015058);SRVR:SN1NAM02HT077;BCL:0;PCL:0;RULEID:;SRVR:SN1NAM02HT077;
x-forefront-prvs: 0743E8D0A6
x-forefront-antispam-report: SFV:NSPM;SFS:(7070007)(199004)(189003)(102836004)(966005)(53546011)(76176011)(6346003)(56003)(7696005)(26005)(14454004)(4326008)(6246003)(426003)(1250700005)(25786009)(446003)(87572001)(74316002)(68736007)(305945005)(2900100001)(8936002)(5660300001)(81156014)(8676002)(106356001)(105586002)(5250100002)(229853002)(104016004)(86362001)(14444005)(256004)(93886005)(20460500001)(82202002)(99286004)(97736004)(110136005)(33656002)(55016002)(6306002)(486006)(476003)(6436002)(11346002);DIR:OUT;SFP:1901;SCL:1;SRVR:SN1NAM02HT077;H:CY4PR18MB1048.namprd18.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: outlook.com does not designate
 permitted sender hosts)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=theodorejb@outlook.com; 
x-microsoft-antispam-message-info: 4OY1pHFdhKCW7Dj6xGjFLc8D75cwenALtYp+jlFoM5A4KBUKMUnHRIvdiMSx5FBEu36Te+OwGg9Q1VJFXaycBX5YuQQZ/QAVKFbxy0MAIv2GbOX+BUVfSnbmIOGWcD2k/CmTkux+oyFMfaaFmL0UULZh8+7KgMaf/XhjMwM55akVAJOwNcud3qMq0chp4zfgB178iVDtRa0UjEMeLqIBG6nQSMBAyP3CtjYCbESv0/w=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: dd759f05-a917-4aa0-a2f5-4cc35c50e0c8
X-MS-Exchange-CrossTenant-Network-Message-Id: ddcecdec-260a-4dc9-843e-08d5f19d0c78
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: dd759f05-a917-4aa0-a2f5-4cc35c50e0c8
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2018 19:38:36.3116
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM02HT077
Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
From: theodorejb@outlook.com (Theodore Brown)

On Tue, Jul 24, 2018 at 11:37 AM Pedro Magalh=E3es <mail@pmmaga.net> wrote:=
=0A=
=0A=
> Well, "expires" is what ends up in the cookie header itself so I think=0A=
> that it's simple to remember. But I do understand your arguments on=0A=
> semantic purity and the fact that Max-Age is derived from it but I still=
=0A=
> believe that in this case, it's not worth the distinction. If there ever=
=0A=
> comes a new attribute that won't be used verbatim, what would we do?=0A=
> Leave it between $expires and the options array and break all existing=0A=
> code? Leave it to the end of the signature to avoid the BC break but=0A=
> then we are left with something really awkward?=0A=
>=0A=
> Given that we understand each other but we just disagree on what is more=
=0A=
> important, I'd really like to hear someone else's opinion. If we are to=
=0A=
> get something into 7.3 (which I believe we should due to=0A=
> https://github.com/php/php-src/pull/2613#issuecomment-401266510) and=0A=
> with the feature freeze in one week, we should reach an agreement on=0A=
> what to do very soon.=0A=
=0A=
Have you investigated the way other languages/libraries handle this? I=0A=
developed the es-cookie module (https://github.com/theodorejb/es-cookie),=
=0A=
which shares the basic API of the very popular js-cookie library.=0A=
=0A=
Both libraries have a `set` function with `name`, `value`, and `options`=0A=
parameters. `expires` is one of the properties that can be set in the=0A=
options object (along with `path`, `domain`, `secure`, and `sameSite`).=0A=
The `expires` property can be a number or a Date instance.=0A=
=0A=
I also looked at the other most popular npm packages for cookie handling=0A=
(universal-cookie, browser-cookies, tiny-cookie, cookie_js, and more).=0A=
All of them have a set function with the same 3-parameter signature.=0A=
=0A=
The benefit of this approach is that `expires` is optional, and other=0A=
attributes can be set without having to pass a value for it. I think it=0A=
would be strange and unexpected for PHP to require an `expires` value=0A=
to be passed **even if I only want to set one of the other options.**=0A=
=0A=
Andrey, I understand your argument about `expires` being treated=0A=
differently from the other options, but in my opinion this isn't=0A=
sufficient reason to require a separate parameter before other attributes=
=0A=
can be set, or to break from the convention of existing cookie-handling=0A=
libraries that developers are familiar with.=0A=
=0A=
Kind regards,=0A=
Theodore Brown=