Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103195
Return-Path: <narf@devilix.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97919 invoked from network); 20 Sep 2018 14:11:51 -0000
Received: from unknown (HELO mail-wm1-f66.google.com) (209.85.128.66)
  by pb1.pair.com with SMTP; 20 Sep 2018 14:11:51 -0000
Received: by mail-wm1-f66.google.com with SMTP id c14-v6so9355183wmb.4
        for <internals@lists.php.net>; Thu, 20 Sep 2018 03:18:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=2Eepe/jcXIxi2rtpiL0/It4pGeFf+w3fLAyfqwvvIb0=;
        b=FVMF4KHsTrBQp7OPzpUvtnq7rmNsyHQg772x6AYFtgeQe/rz4jFuL1mUgsbrB1lgoj
         /VvQoHEwUYdBTISwKw1lOCDUPZzuqnHPy7Dt4y7SPKFWAkePPSRLYZnlo/sT9OMzoNjK
         AQdOt4do+Bvzy31t8NOLsrw4jsoCiBjIHYCtc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=2Eepe/jcXIxi2rtpiL0/It4pGeFf+w3fLAyfqwvvIb0=;
        b=L4veyBRJxmm4ivDCWpVODFmUWOyvu/FLYhlLbxyT/kVFVvwM/BkqVeUkAxf56c+DTh
         JmcDE11fE7Ts5iCQgbr3jnYorlxze4wob5HnDbeHGFIDA1lhxmTgRLQ5Gp2/wyJqEerA
         uyS+2IJFpwTC8wyyRl68jMB2O8zorReUNDlk9gsn67TrkZAhKO4Fe3JsylDDNAWDJsaP
         UilQcmG0Ve3+ve7w9m7Fbfgmv1cRmcffnVBDLOpQsi8pyDPd5qvDsz2qTJk5XJC1P3hc
         vvkheU4IqcISgCJglDDLco3eeHCQ2zj+WYBbM9uQEz6K4iXGHmjbm8JKAHyBtUKm8ecP
         UCGg==
X-Gm-Message-State: ABuFfohQ43AQor0P3JgHfV1R1cYsF3DHtdNJJW8aiH8uu0gCcbNMtfw0
	dFRgJXlAXyl86LYei/m3Oziy+B13FJqQZi8TupmsLA==
X-Google-Smtp-Source: ANB0VdYzcqfqTuDIbe1rUJkwbdU10m+BGQw0xtydwt4Yucf97L7UlEpgvxguUK2H4YmV1Y/5WGXS0SZYG022svYfGn4=
X-Received: by 2002:a1c:9141:: with SMTP id t62-v6mr1796999wmd.69.1537438705921;
 Thu, 20 Sep 2018 03:18:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:ade4:0:0:0:0:0 with HTTP; Thu, 20 Sep 2018 03:18:25
 -0700 (PDT)
In-Reply-To: <72a8942a-6f9b-8169-679c-39f03f175d32@gmx.de>
References: <CAOWwgpm83Vu3WmGKJrLJkAgU5pyyqtmV3nqZ6m6fHN7NAhoK=w@mail.gmail.com>
 <72a8942a-6f9b-8169-679c-39f03f175d32@gmx.de>
Date: Thu, 20 Sep 2018 13:18:25 +0300
Message-ID: <CAPhkiZwfwDnVg6gqXK39SePQgQpurQA+VDa-UwaO=7EC9LpSsw@mail.gmail.com>
To: "Christoph M. Becker" <cmbecker69@gmx.de>
Cc: Nicolas Grekas <nicolas.grekas@gmail.com>, PHP Internals List <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] Re: setcookie() doesn't follow the RFC in 7.3
From: narf@devilix.net (Andrey Andreev)

Hi,

On Thu, Sep 20, 2018 at 12:12 PM, Christoph M. Becker <cmbecker69@gmx.de> wrote:
> On 20.09.2018 at 08:15, Nicolas Grekas wrote:
>
>> yesterday I submitted https://bugs.php.net/76906 to report that I wasn't
>> able to set the "samesite" attribute on cookies while I followed what's
>> been approved in https://wiki.php.net/rfc/same-site-cookie
>>
>> Damian answered on the bug report that the $options argument has swallowed
>> the lifetime one, so that $options is now the 3rd arg and not the 4th as
>> noted in the RFC.
>>
>> He suggested me to raise the topic on internals, so here we are.
>>
>> Are we fine with this? If yes, shouldn't an errata be added to the RFC so
>> that ppl aren't confused like I was?
>
> Related discussion: <https://externals.io/message/100304#102909>ff.
>
> Not sure if an errata (or amendment) should be added to the RFC, or
> whether it is sufficient to document the new signatures in the manual
> proper and the migration guide.
>

A reminder of some rather ... out of the ordinary things that led us here:

- The RFC author was trying to rush *any* kind of SameSite
implementation for 7.2, but eventually agreed mid-vote
(https://externals.io/message/100304#100319) to give it another year
for proper discussion, modifications, etc.
- However, the vote was not closed and I still question whether it
should be considered valid at all, but if so, it was voted-in WITH an
explicit $expires parameter for setcookie(), setrawcookie() and an
explicit $lifetime parameter for session_set_cookie_params().
- As it often happens, no further discussion happened on the list
until 7.3 FF was just about to happen.
- It was suggested that we move $expires/$lifetime inside the array,
and we agreed for that on session_set_cookie_params(), but for
set[raw]cookie(), it was basically one person for it and another one
(me) against it. We didn't reach an agreement; here's the last
on-topic email about it: https://externals.io/message/100304#102964

Since a PR with that change has been merged, apparently a side was
chosen and so be it, I guess. But given all of the above, I think
adding an errata to the RFC is the least that should be done.

Cheers,
Andrey.