Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:119280 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 64718 invoked from network); 16 Jan 2023 15:36:43 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 16 Jan 2023 15:36:43 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C1AFD180538 for ; Mon, 16 Jan 2023 07:36:41 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00,RCVD_IN_SBL_CSS, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15623 212.45.192.0/19 X-Spam-Virus: No X-Envelope-From: Received: from mail.gna.ch (mail.gna.ch [212.45.196.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 16 Jan 2023 07:36:41 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by darkcity.gna.ch (Postfix) with ESMTP id 83F283A1D77 for ; Mon, 16 Jan 2023 16:36:38 +0100 (CET) X-Virus-Scanned: amavisd-new at example.com Received: from mail.gna.ch ([127.0.0.1]) by localhost (darkcity.gna.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnbSCwEBqZ-d for ; Mon, 16 Jan 2023 16:36:38 +0100 (CET) Received: from smtpclient.apple (unknown [194.169.219.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by darkcity.gna.ch (Postfix) with ESMTPSA id F240A3A13C8 for ; Mon, 16 Jan 2023 16:36:37 +0100 (CET) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\)) Date: Mon, 16 Jan 2023 16:36:37 +0100 References: To: PHP internals In-Reply-To: Message-ID: <22D992B7-62B3-4A4F-934F-17D53058FD35@cschneid.com> X-Mailer: Apple Mail (2.3731.300.101.1.3) Subject: Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter From: cschneid@cschneid.com (Christian Schneider) Am 16.01.2023 um 14:39 schrieb G. P. B. : > On Sun, 15 Jan 2023 at 20:58, Christian Schneider = wrote: > Some comments: > - I am not convinced that we should introduce a third way of providing = parameters to setcookie(). I don't think this function is used often = enough in common code to add yet another iteration of the API. Assuming = there is 1 to 2 places in your framework using this I don't think many = bugs will go unnoticed. Adding a warning to illegal 'samesite' values in = $options would IMHO be enough if stricter checking is wished for. >=20 > How is this providing a third way of providing parameters to = setcookie()? As it is, if I want to use named arguments and the typed = parameters, I cannot set the SameSite attribute. > I've heard multiple people waste time due to a SameSite bug because = they made a typo, and it took them way too long to figure out the issue = as they thought they had a server configuration problem. > Adding a warning for invalid values is effectively turning that option = into an Enum, which at this point one might as well have a proper Enum. Maybe third API was misleading, what I mean is that we had the (old) way = of positional arguments for options which did not include something like = samesite and the (new) way with the options array. So I would assume = most code was migrated to $options. Now you are suggesting of updating the old API with an additional = positional argument which would mean changing the array-form back to = positional. Is your plan to deprecate the $options-API at some point in the future? = Having two APIs offering the same functionality seems a bit confusing to = me. Alternatively the 'samesite' option in $options could accept = SameSite::Lax. This would accomplish (almost) the same with a smaller = change. Disclosure: I like arrays for options as they allow for array = addition etc. Something similar can be done with ...$options, true :-) Side-Note: Isn't SameSite a very generic name in the global namespace? = I'm not sure what the PHP policy is here. > - I don't like the camelCase of $sameSite as this is different from = all the other parameters, e.g. $expires_or_options (yes, this is a = pseudo-parameter name, I know) and $httponly. Looking at a couple of = functions in the standard PHP set I didn't see any $camelCase. >=20 > ACK, it should probably be in snake case and be $same_site Looking at $httponly I would have expected $samesite. > - A more generic question: How are Enums handled concerning future = additions of values vs. BC compatibility? What is the migration plan = there if one wants to support both old and new PHP versions? >=20 > The parameter is optional, so I don't understand what migration plan = you need? > If in the, unlikely, event that a new value is added this should be = added as a case in the enum in the next minor version of PHP. > In the, again unlikely, event that a value is deprecated, the = corresponding enum case should also be deprecated following the normal = PHP deprecation process. >=20 > I only decided to make this an enum because I deem it very unlikely = for a new valid attribute value to be introduced, the new IETF RFC = clarifies and amends the behaviour of the 3 valid attribute values that = have always been the same since 2016. I was talking about extending Enums, not the parameter and not SameSite = specifically. Are there any Enums in core PHP APIs where new values could be added in = the future and how is the plan for code supporting multiple PHP version = there? This was just something which crossed my mind when thinking about = APIs with Enums. This is not really related to this RFC so I understand = if you want to ignore this part :-) Regards, - Chris