rfc:same-site-cookie
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:same-site-cookie [2017/07/17 21:00] – f.bosch_genkgo.nl | rfc:same-site-cookie [2022/11/21 11:07] (current) – Point commits to GitHub girgias | ||
---|---|---|---|
Line 4: | Line 4: | ||
* Author of RFC and creator of PR: Frederik Bosch, f.bosch@genkgo.nl | * Author of RFC and creator of PR: Frederik Bosch, f.bosch@genkgo.nl | ||
* Author of original patch: xistence at 0x90 dot nl | * Author of original patch: xistence at 0x90 dot nl | ||
- | * Status: | + | * Status: |
* First Published at: https:// | * First Published at: https:// | ||
Line 12: | Line 12: | ||
===== How the samesite flag works ===== | ===== How the samesite flag works ===== | ||
- | Cookies are issued using the Set-Cookie header. When issuing a cookie, one can set a key and value together with flags for the browser to determine whether the cookie should be accessible | + | Cookies are issued using the Set-Cookie header. When issuing a cookie, one can set a key and value together with flags for the browser to determine whether the cookie should be accessible. A typical cookie might look like this. |
< | < | ||
Line 20: | Line 20: | ||
As many will know, this opens doors for CSRF attacks, an attack that forces an end user to execute unwanted actions on a web application in which they' | As many will know, this opens doors for CSRF attacks, an attack that forces an end user to execute unwanted actions on a web application in which they' | ||
- | According to the proposed standard, there are now two possibilities for a cookie that is using the samesite flag: " | + | According to the proposed standard, there are now two possibilities for a cookie that is using the samesite flag: " |
A cookie that is issued using the samesite flag, might look as follows. | A cookie that is issued using the samesite flag, might look as follows. | ||
Line 36: | Line 36: | ||
- session_set_cookie_params | - session_set_cookie_params | ||
- session_get_cookie_params | - session_get_cookie_params | ||
+ | |||
+ | The first three functions have a similar function signature. This RFC proposes two possibilities to change these three functions. The first possibility is to add an additional argument to these functions. The second possibility is to allow an array of options in which all the cookie options will be moved into. | ||
+ | |||
+ | When voting, one can decide to (a) accept/ | ||
==== setcookie ==== | ==== setcookie ==== | ||
- | The setcookie function will get an extra argument | + | 1. Add an additional |
<code php> | <code php> | ||
bool setcookie ( string $name [, string $value = "" | bool setcookie ( string $name [, string $value = "" | ||
+ | </ | ||
+ | |||
+ | 2. Modify setcookie as such that the function also allows an array of options. The keys within $options that have affect to the Set-Cookie header are: path, domain, secure, httponly and samesite. The default values for these options will remain untouched. The default value for samesite will be the empty string. | ||
+ | |||
+ | <code php> | ||
+ | bool setcookie ( string $name [, string $value = "" | ||
+ | bool setcookie ( string $name [, string $value = "" | ||
</ | </ | ||
==== setrawcookie ==== | ==== setrawcookie ==== | ||
- | The setrawcookie function will get an extra argument | + | 1. Add an additional |
<code php> | <code php> | ||
bool setrawcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false [, string $samesite = "" | bool setrawcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false [, string $samesite = "" | ||
+ | </ | ||
+ | |||
+ | 2. Modify setrawcookie as such that the function also allows an array of options. The keys within $options that have affect to the Set-Cookie header are: path, domain, secure, httponly and samesite. The default values for these options will remain untouched. The default value for samesite will be the empty string. | ||
+ | |||
+ | <code php> | ||
+ | bool setrawcookie ( string $name [, string $value = "" | ||
+ | bool setrawcookie ( string $name [, string $value = "" | ||
</ | </ | ||
==== session_set_cookie_params ==== | ==== session_set_cookie_params ==== | ||
- | The session_set_cookie_param function will get an extra argument | + | 1. Add an additional |
<code php> | <code php> | ||
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false [, string $samesite = "" | void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false [, string $samesite = "" | ||
+ | </ | ||
+ | |||
+ | 2. Modify session_set_cookie_param as such that the function also allows an array of options. The keys within $options that have affect to the Set-Cookie header are: path, domain, secure, httponly and samesite. The default values for these options will remain untouched. The default value for samesite will be the empty string. | ||
+ | |||
+ | <code php> | ||
+ | void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] ) | ||
+ | void session_set_cookie_params ( int $lifetime [, array $options ] ) | ||
</ | </ | ||
Line 74: | Line 99: | ||
===== Pros and cons: why or why not to adopt this RFC ===== | ===== Pros and cons: why or why not to adopt this RFC ===== | ||
- | This RFC affects the security of PHP installations. Therefore it might seem to be a no-brainer that it gets accepted. However, that is not necessarily the case. In order to present voters a comprehensive view on the subject both pros and cons will be emphasized. | ||
- | |||
- | === Pros === | ||
The first and foremost reasons to accept this RFC is that developers will be able to better secure their PHP applications. It fits the step PHP is already making with the upcoming availability of libsodium. With this feature, the language would make another step in helping developers to write secure code. | The first and foremost reasons to accept this RFC is that developers will be able to better secure their PHP applications. It fits the step PHP is already making with the upcoming availability of libsodium. With this feature, the language would make another step in helping developers to write secure code. | ||
- | === Cons === | + | But, there is a risk involved |
- | There is a risk involved. The samesite cookie might not become a standard which might lead browsers to eventually drop the flag. If that would be the case, the < | + | |
- | === Conclusion === | + | Furthermore, |
+ | |||
+ | The author believes strongly that the pros weigh up to the cons. At this moment more than 50% of the global used browsers support the samesite flag. And another major browser is already working on it, being Firefox. How many PHP installations could we make more secure? We should add samesite to the core of PHP. The only question is: "What is the best route to take?" | ||
- | The author believes strongly that the pros weigh up to the cons. At this moment more than 50% of the global used browsers support the feature. And another major browser is already one working on it. How many PHP installations could we make more secure? Privacy and security are of a higher concern than the risk of ending up with one useless argument to three functions. | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
Line 90: | Line 112: | ||
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
- | next PHP 7.x | + | Next PHP 7.x. Since deadlines have passed for 7.2, this will be 7.3. |
===== RFC Impact ===== | ===== RFC Impact ===== | ||
Line 100: | Line 122: | ||
The default value is the empty string in both default development and production php.ini. | The default value is the empty string in both default development and production php.ini. | ||
+ | |||
+ | ===== Future Scope ===== | ||
+ | When this RFC will be rejected, it could mean that the current cookie functions should be left untouched and that PHP needs new functions for cookies with a better API. | ||
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== | ||
- | This RFC requires a 50%+1 majority. | + | This RFC requires a 50%+1 majority. |
+ | |||
+ | |||
+ | === First implementation suggestion === | ||
+ | |||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | === Second implementation suggestion === | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
- | * [[https:// | + | * [[https:// |
+ | * Github PR with the array of options solution will be created when this RFC gets accepted | ||
+ | * Implemented via [[https:// | ||
+ | * Documented via [[https:// | ||
===== References ===== | ===== References ===== | ||
Line 112: | Line 156: | ||
* [[https:// | * [[https:// | ||
* [[https:// | * [[https:// | ||
+ | |||
+ | ===== Errata ===== | ||
+ | |||
+ | The actually implemented alternative signatures of the functions have been slightly changed from the original RFC. See the documentation in the PHP manual for details: | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// |
rfc/same-site-cookie.txt · Last modified: 2022/11/21 11:07 by girgias