Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:119319 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 72979 invoked from network); 18 Jan 2023 16:08:49 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Jan 2023 16:08:49 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id CB639180547 for ; Wed, 18 Jan 2023 08:08:48 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15623 212.45.192.0/19 X-Spam-Virus: No X-Envelope-From: Received: from mail.gna.ch (mail.gna.ch [212.45.196.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 18 Jan 2023 08:08:48 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by darkcity.gna.ch (Postfix) with ESMTP id B2B1D3A13C8 for ; Wed, 18 Jan 2023 17:08:46 +0100 (CET) X-Virus-Scanned: amavisd-new at example.com Received: from mail.gna.ch ([127.0.0.1]) by localhost (darkcity.gna.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9X_y6gLiOSr for ; Wed, 18 Jan 2023 17:08:46 +0100 (CET) Received: from smtpclient.apple (unknown [IPv6:2a02:1210:2ea4:cf00:6868:86a7:800:967f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by darkcity.gna.ch (Postfix) with ESMTPSA id 4F9053A0DC4 for ; Wed, 18 Jan 2023 17:08:46 +0100 (CET) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\)) Date: Wed, 18 Jan 2023 17:08:45 +0100 References: <22D992B7-62B3-4A4F-934F-17D53058FD35@cschneid.com> <138CAD88-013E-40C7-8F0F-2034A7B0980B@cschneid.com> <5A9A769C-C0B5-40CB-9BAD-8FD0A9C31794@gmail.com> To: PHP internals In-Reply-To: <5A9A769C-C0B5-40CB-9BAD-8FD0A9C31794@gmail.com> Message-ID: <7802BE75-1026-42AE-B4B0-E2FA9D243B1C@cschneid.com> X-Mailer: Apple Mail (2.3731.300.101.1.3) Subject: Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter From: cschneid@cschneid.com (Christian Schneider) Am 18.01.2023 um 16:26 schrieb Claude Pache : >> Le 18 janv. 2023 =C3=A0 16:20, Derick Rethans a = =C3=A9crit : >>=20 >> if (version_compare(phpversion(), "8.4.0", ">")) { >> setcookie("test", "value", samesite: SameSite::Stricter); >> } else { >> setcookie("test", "value", samesite: SameSite::Strict); >> } >=20 > Or even, replace `version_compare(...)` with `SameSite::tryFrom(...) = !=3D=3D null`: > setcookie("test", "value", samesite: SameSite::tryFrom('Stricter') ?? = SameSite::Strict); Thanks for your replies, I like the second option as it is a feature = instead of a version check. Now my only itch is that the support for SameSite=3DStricter is actually = depending on the browser, not the server so assuming all browser are = already supporting this new mode I should not send a less strict mode = just because I'm using an old PHP version. This is currently possible = since setcookie() does not validate the content of the samesite options. But as this is somewhat of a special case (most function options do not = depend on something external) and you seem to be confident that the list = of SameSite options will not change any time soon I'll shut up now :-) Regards, - Chris