Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:102978
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59982 invoked from network); 29 Jul 2018 04:23:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 Jul 2018 04:23:02 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:53702] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 59/A1-36025-0214D5B5 for <internals@lists.php.net>; Sun, 29 Jul 2018 00:23:00 -0400
Received: (qmail 15502 invoked by uid 89); 29 Jul 2018 04:22:52 -0000
Received: from unknown (HELO mail-yb0-f182.google.com) (yohgaki@ohgaki.net@209.85.213.182)
  by 0 with ESMTPA; 29 Jul 2018 04:22:52 -0000
Received: by mail-yb0-f182.google.com with SMTP id l16-v6so3551318ybk.11
        for <internals@lists.php.net>; Sat, 28 Jul 2018 21:22:52 -0700 (PDT)
X-Gm-Message-State: AOUpUlEnwLgOSvinDlZI5zQ+mp1zU4MhuuxG2osoR8rZvTUIOd8SUaAy
	uz8Tkzji9P+OyykQOfZjg60ljFM7ZOuqtiUV+Q==
X-Google-Smtp-Source: AAOMgpfXldhRe25CMDnwcVxgQtX79MY+CIPCXD0Qi7BQ7sr+JeT0Z/f3liMNG/viBKSoBtzxsJINw18LyegH+03raaA=
X-Received: by 2002:a25:6609:: with SMTP id a9-v6mr6722304ybc.277.1532838165750;
 Sat, 28 Jul 2018 21:22:45 -0700 (PDT)
MIME-Version: 1.0
References: <a4189866-23ea-4dc5-12a4-a7fbad8e5601@genkgo.nl>
 <1abd260d-ebc4-a062-3381-72485946e8bc@gmail.com> <a55b37e3-268c-f8ab-6545-6cf7a4f537f0@genkgo.nl>
 <CAJd4=Ya67XaX3bwwQn20GUQqEvEVe8XEepRz9+of6h4t4fC_fg@mail.gmail.com>
 <CAPhkiZzSfwMd7TthF7jcWwY+JTnFyamyevnWDZZhGGF_qpEpKA@mail.gmail.com>
 <CAJd4=YZfMgJ7pLwUx_0GqdV+KMCGqYZFhQEDV_2KTMOKiRi6dA@mail.gmail.com>
 <CAPhkiZyHTy8m8N9f531GTMcNNhWO7Rj0U9vtMXzg3FhGyJQ0Vg@mail.gmail.com>
 <CANUQDCjam10D2SANrXQBCau8wAKQyD2gXZO7Q2fiKYQHDOhUzQ@mail.gmail.com>
 <CAJd4=YboTqF5_rUy=YhB8xNV_K=1rrkTNLg+dr1MOQrLxNmdBQ@mail.gmail.com> <CANUQDCjp1zMtPYX5eQmTBEdU0UmnVNiaYiXO-R9EZSztQnr4UA@mail.gmail.com>
In-Reply-To: <CANUQDCjp1zMtPYX5eQmTBEdU0UmnVNiaYiXO-R9EZSztQnr4UA@mail.gmail.com>
Date: Sun, 29 Jul 2018 13:22:09 +0900
X-Gmail-Original-Message-ID: <CAGa2bXbhKowGjj5i9DSg9KwY7Hy7GerocRW0+TcbtxtK0FiFsQ@mail.gmail.com>
Message-ID: <CAGa2bXbhKowGjj5i9DSg9KwY7Hy7GerocRW0+TcbtxtK0FiFsQ@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: mail@pmmaga.net, Andrey Andreev <narf@devilix.net>, f.bosch@genkgo.nl, 
	Stas Malyshev <smalyshev@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000005e2a5405721bb209"
Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--0000000000005e2a5405721bb209
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Jul 23, 2018 at 10:42 AM Niklas Keller <me@kelunik.com> wrote:

> Am So., 22. Juli 2018 um 18:11 Uhr schrieb Pedro Magalh=C3=A3es <
> mail@pmmaga.net>:
> >
> > On Sun, Jul 22, 2018 at 2:47 PM Niklas Keller <me@kelunik.com> wrote:
> >
> > > It'd be great to use an OO approach instead of "magic" array keys,
> > > e.g. like this:
> > >
> > >
> https://github.com/amphp/http/blob/9c0ba2f2ebfae482b3ad7a0475eb3d1f74d879=
49/src/Cookie/CookieAttributes.php
> > >
> > > Regards, Niklas
> > >
> >
> > Hi,
> >
> > While I do agree with the sentiment:
> > - That would have been an even greater departure from the original RFC.
> > - This is currently a purely procedural API. If this were about an
> > hypothetical `ResponseHeaders::setCookie` it would definitely be the wa=
y
> to
> > go.
> >
> > Regards,
> > Pedro
>
> Hey Pedro,
>
> why does it have to be an all or nothing approach? It's perfectly fine
> to have a function that accepts an object.
>
> Regards, Niklas
>

While defining SessionCookieParams object and use it is ok, but
there is a thing to consider.

How it could be more useful than current procedural API. i.e. array vs
object params.

class SessionCookiePrams {
   public $lifetime;
   public $path;
   // and so on
}

Users still can typo with this, so it may be

class SessionCookiePrams {
   private $lifetime;
   private $path;
   // and so on

   function setLifetime() {..}
   function setPath() {..}
}

Defining such OO API is out of scope for this RFC.
It would be better let users to define such OO API wrapper for the time
being.

If we would like to add OO API for session, it would be better to have
session_oo. c or like and define OO APIs in it. It requires a new RFC for
this.

One thing regarding implementation.
Since the internet RFC has only 2 values for "samesite", the parameter can
be
bool rather than string so that users can avoid "broken security by a typo"=
.
If "samesite" has more than 2 values, the INI handler can be changed so
that it can
handle both bool and string parameters.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--0000000000005e2a5405721bb209--