Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:119271
Return-Path: <claude.pache@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82106 invoked from network); 15 Jan 2023 21:09:03 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 15 Jan 2023 21:09:03 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 715E41804D4
	for <internals@lists.php.net>; Sun, 15 Jan 2023 13:08:59 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <claude.pache@gmail.com>
Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 15 Jan 2023 13:08:59 -0800 (PST)
Received: by mail-ej1-f53.google.com with SMTP id ss4so56607102ejb.11
        for <internals@lists.php.net>; Sun, 15 Jan 2023 13:08:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JXQIGl/RqpKNGEckag/KapA5a88mzF+RUs/hEWkqzLg=;
        b=grZV3Zc6DpXWJz4h49MEoJ12s4zh9MSleeNnYc20b+jwrNHfoQJM4TI2ldTp0Zjao+
         zzzXdhBB5axoXvaHDUm+yNcYtjc3FE4yGpcxvzK663vKx6V3ivzN1ECLrF7rmtnmsAWb
         fAYGGc3fcluyMzRG0YoHPGabh5jkc3hINOFHkfDr01bgORzJxPiTHkjGi+7am19ZuAIw
         YQajC9P3+ulo8iGoTP8AiXIMu/7xwoLAA8dwkUm8A8dF4Qd6j3hkB/nkMwazvgnaTRE+
         Fmk+g/187x4VoMwbOpHjvKbKCGexzsTMG4bSVKsSzpdZAX8X/FVizrHbznDA8YucTUIt
         KvpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=JXQIGl/RqpKNGEckag/KapA5a88mzF+RUs/hEWkqzLg=;
        b=TdFSubX1uaNrlYaD/sb7CGPfsq9Mq6fVF86mg4YKQ+zS9NjoSVJ5ErWl6fWzbPlycJ
         hU13IPrGuVlJADgkQjKOQbZ8escTto7PivAhcAJH00t7fZFc0ciDO4RFQ1ohzpjIWcpN
         xp1yrCZCmqcsgdsoPfksItJr/0tNmRU480C0q3hD+I54pcx5oOFCH/kih9n+ef4Ojtlu
         RVRSmHpGSoin/uudhhiGDbLFiFLLS9yqmIdQhAABIwQqFaQsDlwjmHh/9HE0KXNeOBph
         mQLcn2Yqzy+BLLXYgrExhIaqrf3pKhldOCg4Y1oRxX20mSIuVyyFlsYGudR/BS5GA5oz
         4FKQ==
X-Gm-Message-State: AFqh2kpCkuwXd9xMWXM5vJwnZL+cwWriRQ7jMWnb9hJWeFBUKJi4RSuW
	/n+6QTaiHXyUKrDwjnMQaSE=
X-Google-Smtp-Source: AMrXdXuJDnqRJaSnw//Cvs7fbDlg9fdZDpV6c1t6M5t+WnqTxZS/d2dc34sIQRp6RmhYoNzZt1i/MQ==
X-Received: by 2002:a17:907:c08c:b0:870:3c70:8c8d with SMTP id st12-20020a170907c08c00b008703c708c8dmr2116181ejc.17.1673816937651;
        Sun, 15 Jan 2023 13:08:57 -0800 (PST)
Received: from [172.20.10.2] (31.234.197.178.dynamic.wless.lssmb00p-cgnat.res.cust.swisscom.ch. [178.197.234.31])
        by smtp.gmail.com with ESMTPSA id 21-20020a170906319500b0086faa5b06d4sm1026673ejy.181.2023.01.15.13.08.56
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 15 Jan 2023 13:08:57 -0800 (PST)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
In-Reply-To: <CAFPFaM+d_1pV__2u+rkTEOF8mPM_CSXRk3udmG-+G1oVuKbQmg@mail.gmail.com>
Date: Sun, 15 Jan 2023 22:08:55 +0100
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <C1248D69-4A6A-4753-B19C-2E5F3A81FD4A@gmail.com>
References: <CAFPFaM+d_1pV__2u+rkTEOF8mPM_CSXRk3udmG-+G1oVuKbQmg@mail.gmail.com>
To: "G. P. B." <george.banyard@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Subject: Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
From: claude.pache@gmail.com (Claude Pache)



> Le 14 janv. 2023 =C3=A0 16:14, G. P. B. <george.banyard@gmail.com> a =
=C3=A9crit :
>=20
> Hello Internals,
>=20
> I would like to start the discussion about the Add SameSite cookie
> attribute parameter RFC:
> https://wiki.php.net/rfc/same-site-parameter
>=20
> This proposes to add an optional same site parameter to the =
setrawcooki(),
> setcookie() and session_set_cookie_params() that takes a a value a new
> SameSite enum:
>=20
> enum SameSite {
>    case None;
>    case Lax;
>    case Strict;}
>=20
>=20
> Best regards,
>=20
> George P. Banyard

Hi,

Some technical remarks:
* The new parameter name should be `$samesite` (all lowercase), in order =
to match with the casing of the corresponding key in `$options`.
* I think that you should add the case `SameSite::Omit` (which is the =
current default). This is not only for BC, but also for FC if, for some =
reason, `SameSite: Lax` is replaced by some attribute that supersedes =
it. Or if `SameSite: Lax` becomes the default, and therefore redundant. =
=E2=80=94 Having `SameSite::Omit` instead of `null` would mean that it =
would be difficult to miss it by accident.

That said, I am much more interested in being able to add custom cookie =
attributes. Back when SameSite was introduced (on the web, not in PHP), =
I recall that I had to use some hack in order to include them in my =
session cookie (before upgrading to PHP 7.3). The new cookie attributes =
mentioned by Nicolas in the other mail are probably too experimental in =
order to support them officially, but it could be interesting to be able =
to include them nonetheless, e.g. using some `customAttributes` =
parameter.

=E2=80=94Claude=