Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99901
Return-Path: <lists@rhsoft.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49026 invoked from network); 18 Jul 2017 14:09:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jul 2017 14:09:46 -0000
Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender)
X-PHP-List-Original-Sender: lists@rhsoft.net
X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net  
Received: from [91.118.73.15] ([91.118.73.15:41953] helo=mail.thelounge.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FB/29-02884-9A61E695 for <internals@lists.php.net>; Tue, 18 Jul 2017 10:09:46 -0400
Received: from rh.thelounge.net  (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3xBhqj3xlszXMT
	for <internals@lists.php.net>; Tue, 18 Jul 2017 16:09:37 +0200 (CEST)
To: PHP Internals List <internals@lists.php.net>
References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl>
 <CADyq6s+mNc9AwdM-5_6AXez_K-UTbOFYsviVgYgLnK9moM3GwA@mail.gmail.com>
 <2b801df9-682a-5013-3fd8-d420212c2073@rhsoft.net>
 <CADyq6s+d8+2THz-XrYid=g3twz0Fmnye6FVURHE=z7dnHwp0dw@mail.gmail.com>
Message-ID: <514cc23a-b267-3717-1310-b117346c1b8a@rhsoft.net>
Date: Tue, 18 Jul 2017 16:09:37 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CADyq6s+d8+2THz-XrYid=g3twz0Fmnye6FVURHE=z7dnHwp0dw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-CH
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation
From: lists@rhsoft.net ("lists@rhsoft.net")



Am 18.07.2017 um 16:00 schrieb Marco Pivetta:
> On Tue, Jul 18, 2017 at 3:50 PM, lists@rhsoft.net 
> <mailto:lists@rhsoft.net> <lists@rhsoft.net <mailto:lists@rhsoft.net>> 
> wrote:
> 
>     i don't share your optinion, especially talking about 'should be
>     deprecated' where i get the feeling some peoples hobby is deprecate
>     working things
> 
>     comparing cookie params with encryption is hopefully just kidding
> 
> 
> It could be a "hello world" function - same stuff.
> 
> Also, yes, cookies are as security-sensitive stuff as crypto, if not 
> often more (since crypto is usually handled at webserver level, and 
> direct usage of openssl is more "rare")

how can they than be more security-sensitive within the encryption 
layer.... but that's not the point: setcookie() even with all it's 
params is easy and clear to use fopr anybody which has a clue what he is 
doing and there is no need to deprecated it nor design a new shiny API 
for it as replacement