Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:119270 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 80275 invoked from network); 15 Jan 2023 20:58:49 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 15 Jan 2023 20:58:49 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 1AD951804AA for ; Sun, 15 Jan 2023 12:58:46 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15623 212.45.192.0/19 X-Spam-Virus: No X-Envelope-From: Received: from mail.gna.ch (mail.gna.ch [212.45.196.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 15 Jan 2023 12:58:43 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by darkcity.gna.ch (Postfix) with ESMTP id 447D93A1D77 for ; Sun, 15 Jan 2023 21:58:42 +0100 (CET) X-Virus-Scanned: amavisd-new at example.com Received: from mail.gna.ch ([127.0.0.1]) by localhost (darkcity.gna.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3NcYfMhUTws for ; Sun, 15 Jan 2023 21:58:41 +0100 (CET) Received: from smtpclient.apple (unknown [IPv6:2a02:1210:2ea4:cf00:ec28:a037:c8ab:d9af]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by darkcity.gna.ch (Postfix) with ESMTPSA id 731983A0DAA for ; Sun, 15 Jan 2023 21:58:41 +0100 (CET) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\)) Date: Sun, 15 Jan 2023 21:58:41 +0100 References: To: PHP internals In-Reply-To: Message-ID: <05489B2A-0BD4-4427-9279-DE3E02387B57@cschneid.com> X-Mailer: Apple Mail (2.3731.300.101.1.3) Subject: Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter From: cschneid@cschneid.com (Christian Schneider) Am 14.01.2023 um 16:14 schrieb G. P. B. : > I would like to start the discussion about the Add SameSite cookie > attribute parameter RFC: > https://wiki.php.net/rfc/same-site-parameter >=20 > This proposes to add an optional same site parameter to the = setrawcooki(), > setcookie() and session_set_cookie_params() that takes a a value a new > SameSite enum: >=20 > enum SameSite { > case None; > case Lax; > case Strict;} Some comments: - I am not convinced that we should introduce a third way of providing = parameters to setcookie(). I don't think this function is used often = enough in common code to add yet another iteration of the API. Assuming = there is 1 to 2 places in your framework using this I don't think many = bugs will go unnoticed. Adding a warning to illegal 'samesite' values in = $options would IMHO be enough if stricter checking is wished for. - I don't like the camelCase of $sameSite as this is different from all = the other parameters, e.g. $expires_or_options (yes, this is a = pseudo-parameter name, I know) and $httponly. Looking at a couple of = functions in the standard PHP set I didn't see any $camelCase. - A more generic question: How are Enums handled concerning future = additions of values vs. BC compatibility? What is the migration plan = there if one wants to support both old and new PHP versions? Regards, - Chris