Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99909 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71529 invoked from network); 18 Jul 2017 17:49:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Jul 2017 17:49:21 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.218.52 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.218.52 mail-oi0-f52.google.com Received: from [209.85.218.52] ([209.85.218.52:36055] helo=mail-oi0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AA/AC-02884-02A4E695 for ; Tue, 18 Jul 2017 13:49:20 -0400 Received: by mail-oi0-f52.google.com with SMTP id x187so23423692oig.3 for ; Tue, 18 Jul 2017 10:49:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=t51TacYxGAAxf6fUAkDORzCmasH2oIUjt6np8CyeSG4=; b=KKwo+0mX8JfmVC8e2nbvOExs8Aeq4UgaljgmINDq5RGolMLuNF0c32Ic/pSiA+Hzv4 esTDCvG5Ar61isbfnWxV1IFouAeBhWhQba9oVX1Ky3pSMC3StHzE9yGhU24vQ/4KMY65 MNU4/9Sj75xmywXF868QIzw4ic5qee+wOxLI0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=t51TacYxGAAxf6fUAkDORzCmasH2oIUjt6np8CyeSG4=; b=jZJaKF+F5NNu2PqIAcO8COD+3suQTn+ERP6yNW51+lHmIekiRemqsTvKNCweET7KL0 hEYhawam4HRQEr39qwFFwp5ndPEm7riAFr1tBRrmnVveU2ENR74l+MBL7JADv1uA0ot4 UzfrGp/vOLIIRGmwQMwnWPpj8O4udMjctUKJOb3yIWBWDn9N7XOIkOpkDjWEYb9JaYIw YtIxbEgt4PULugxNRilSrWHxh/nTXggPLZSgDTTuwn4e6QNUTY6Q+Rd7BfMJiDc8bm3/ 8B+/9J9zovLgr7SgOO+OI2o38n/CxEgT7gW7gPNCsY+DNe38X1pSR3cbQOmRTzG1/+Dg 0pfA== X-Gm-Message-State: AIVw1110vHXP/k772rIuHhA8PGDINvjJQJAvhmaHKNmmPsGjs/IM7hUj uq9nq+LUc18LGEqpYMRyCSFNSsuDNBk2wOki/w== X-Received: by 10.202.117.68 with SMTP id q65mr2137686oic.72.1500400157152; Tue, 18 Jul 2017 10:49:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.181.103 with HTTP; Tue, 18 Jul 2017 10:49:16 -0700 (PDT) In-Reply-To: <86.8B.02884.8D93E695@pb1.pair.com> References: <64.32.02884.7983D695@pb1.pair.com> <86.8B.02884.8D93E695@pb1.pair.com> Date: Tue, 18 Jul 2017 20:49:16 +0300 Message-ID: To: Andreas Treichel Cc: "internals@lists.php.net" Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] http_cookie_set and http_cookie_remove From: narf@devilix.net (Andrey Andreev) Hi Andreas, On Tue, Jul 18, 2017 at 7:39 PM, Andreas Treichel wrote: > Hello Andrey, > >>> $options are equal to the optional parameters of setcookie and >>> setrawcookie. >>> $options may contain: >>> >>> expires: int >>> path: string >>> domain: string >>> secure: bool >>> httponly: bool > > >> 1. The wording here implies that these are the *only* attributes >> allowed. In the interest of forward-compatibility, I'd allow arbitrary >> attributes as well. > > > This are the only supported options in the current implementation. Future > extension like samesite cookies can add more options. Unknown options are > ignored and trigger a warning. > That's what I was afraid of, and what I suggested be changed. If we had a similar, array-of-attributes API that did NOT ignore or trigger warnings for unknown attributes, everybody using PHP would've been able to use SameSite already. >>> encode is an additional option to remove the requirement of a raw and non >>> raw function. >>> >>> encode: int >>> HTTP_COOKIE_ENCODE_NONE (same as setrawcookie) >>> HTTP_COOKIE_ENCODE_RFC1738 (same as setcookie) >>> HTTP_COOKIE_ENCODE_RFC3986 > > >> 2. I don't think this is necessary, nor that it belongs in the $options >> array. > > > Most users dont know the correct encoding for cookies. This idea is from the > $enc_type parameter of http://php.net/http_build_query. The documentation of > http_cookie_set() should explain it the same way. > > Maybe i can move it out of the $options array and add an extra parameter for > the encoding, if the $options are the wrong location for this. > On another note, I'd also move the 'expire' option to a separate parameter and remove $options to $attributes. 'expire' is not a known cookie attribute; PHP uses it to calculate the Expires and Max-Age attributes ... > >> Anybody who'd use it, would have to read RFC1738 and/or RFC3986 to >> know what they do. > > > This is the same as setcookie(). No one has to read the rfc, which is not > interested as it exactly works. HTTP_COOKIE_ENCODE_RFC1738 is the default > for the encode option and encode the value the same ways as setcookie encode > it. > > the default values for the options are the same as thr parameters for the > current setcookie(). The default values for the $options: > > expires: int, default: 0 > path: string, default: "" > domain: string, default: "" > secure: bool, default: false > httponly: bool, default: false > encode: int, default: HTTP_COOKIE_ENCODE_RFC1738 > > >> And as the constant names aren't particularly short either, it is >> easier for me to just apply an encoding function directly to $value >> before passing it. > > > The current names of the constants are not short, but in most cases i think > you dont need it. > > >> Also, RFC 6265 (section 4.1.1) only mentions Base64 as a suggestion >> for encoding (and that's a SHOULD). >> Link: https://tools.ietf.org/html/rfc6265#section-4.1.1 > > > http_cookie_set() use the same encoding per default as setcookie(). > Sorry, but this is kind of pointless then. I liked your proposal, because it's a chance to have a shiny new API that doesn't come with all the legacy stuff already built into setcookie(). But if we want an array-based setcookie() alternative without changing anything else, we can just change setcookie() to accept arrays. In hindsight, if this is really what you wanted, then I have to agree with Dan - that is building on foundation of sand. Cheers, Andrey.