Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99902
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 50412 invoked from network); 18 Jul 2017 14:13:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jul 2017 14:13:19 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.218.52 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.218.52 mail-oi0-f52.google.com  
Received: from [209.85.218.52] ([209.85.218.52:35863] helo=mail-oi0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2D/79-02884-E771E695 for <internals@lists.php.net>; Tue, 18 Jul 2017 10:13:19 -0400
Received: by mail-oi0-f52.google.com with SMTP id x187so17850301oig.3
        for <internals@lists.php.net>; Tue, 18 Jul 2017 07:13:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Z+dkOaSmKcSb2W+kROWqBz0FQPyFxlKDgQq7qmBv9rk=;
        b=MqS2CMfBd4oVX1dZdUKYeCxwWvM1xYo73zI5lGmIE9ejs9ttC4cCwixf83wlfQoma0
         N09jXg2k1+Vazj4DVtE0TfgfsopCrFp48ET8zlZ15USBUG94xTWBZTxAklMIyFJ7EqS/
         r7NsvlBhYlCHi6G+FgRu8b5lzK5lhqhzk75e4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Z+dkOaSmKcSb2W+kROWqBz0FQPyFxlKDgQq7qmBv9rk=;
        b=blfGjkn591/raQzWq81GfnIe4WQEgg1G+s2qEVJvclZrPFtBA/kFgKzf5TRGAX5KTZ
         UfY3sY1Kvy5Lb6Kw+muQU/jBlsAvPFwc9uHtb0e3Ljbg0DSIfXO8wPaHo+QmCTrCR+o4
         9vqMwSRVTqfg0TekUa0eB3nlzuJiEB3cr/wYk9OvMUuQBz4dUMlMFkkYVu5PepIv0Hhp
         7tEIEOvyoufpRl7yz5hsK4gVCTWGDWA4fsvyKsk9dxxMKymICkzVApp25pWkZyBzC1qe
         e94MFiprPrISzYrwuVU1vxpJTrLX+4ERKP6hxCiJt6yCoXFBjGHIlazOMFWgVMxqLnDt
         UemQ==
X-Gm-Message-State: AIVw111giEK6tnJKOrCQIw5mQqhy+ro5PxNnWueuzSGlymjMB+p5skkT
	VBzGaEzkI/5Vig3tf6GSh4PyDie7Rmzc
X-Received: by 10.202.81.145 with SMTP id f139mr1183275oib.92.1500387196372;
 Tue, 18 Jul 2017 07:13:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.181.103 with HTTP; Tue, 18 Jul 2017 07:13:15 -0700 (PDT)
In-Reply-To: <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl>
References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl>
 <CAPhkiZyn-nVS1ngds2SgYG3oAebtJkQOaJxOccD1eoCrvvcmJQ@mail.gmail.com> <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl>
Date: Tue, 18 Jul 2017 17:13:15 +0300
Message-ID: <CAPhkiZzv5zC3VmcNBokhk4qxHdCgnOM7q5jnbHpTvDB=JOvb5g@mail.gmail.com>
To: "Frederik Bosch | Genkgo" <f.bosch@genkgo.nl>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a113d77aaddcf240554981d4d"
Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation
From: narf@devilix.net (Andrey Andreev)

--001a113d77aaddcf240554981d4d
Content-Type: text/plain; charset="UTF-8"

Hi again,

On Tue, Jul 18, 2017 at 4:23 PM, Frederik Bosch | Genkgo <f.bosch@genkgo.nl>
wrote:

> Hi Andrey,
>
> Thanks for your feedback. If we are going to wait for http_cookie_set,
> then my guess will be that it will take a while before we see samesite
> cookie implemented. While I totally agree there is need for a new function
> with a better API, I fail to see why that would mean we cannot have a
> samesite argument in the set(raw)cookie functions now. The RFC is in line
> with the design of these functions.
>
I don't know what you mean by "now" ... it's not like it can happen
overnight.

With regard to browsers not implementing it, let me quote the currrent
> documentation on the httponly argument. "It has been suggested that this
> setting can effectively help to reduce identity theft through XSS attacks
> (although it is not supported by all browsers), but that claim is often
> disputed." Basically it says that it is not supported by all browsers, but
> provides help reducing XSS attacks. I don't see the difference with
> samesite.
>
Well, if you insist on comparing the two ...

- HttpOnly was released with PHP 5.2.0 in January 2011 - just 3 months
prior to IETF RFC 6265 (April 2011) becoming a standards track.
- SameSite has only a single IETF draft, which has expired because it's
been inactive for a year.


I too want to see SameSite cookies added to PHP's standard library, but
this is certainly not a thing that needs to happen yesterday. There's no
reason not to wait for the http_cookie_set() proposal.

And I too agree that adding a millionth parameter to setcookie() is the
wrong approach anyway.

Cheers,
Andrey.

--001a113d77aaddcf240554981d4d--