This is an old revision of the document!
PHP RFC: Same Site Cookie
- Version: 0.9
- Date: 2017-07-16
- Author of RFC and creator of PR: Frederik Bosch, f.bosch@genkgo.nl
- Author of original patch: xistence at 0x90 dot nl
- Status: Draft
- First Published at: https://wiki.php.net/rfc/same-site-cookie
Introduction
Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. The technology is currently a proposed web standard. However, same site cookies are already adopted by Chrome and planned by planned by Firefox. Major PHP frameworks already implemented this through a custom Set-Cookie header call. The RFC will try to convince voters that same site cookies should be available as a core language feature.
Proposal
The proposal affects four functions in the PHP API.
- setcookie
- setrawcookie
- session_set_cookie_params
- session_get_cookie_params
setcookie
to be written
setrawcookie
to be written
session_set_cookie_params
to be written
session_get_cookie_params
to be written
Pros and cons: why or why not to adopt this RFC
This RFC affects the security of PHP installations. Therefore it might seem that is a no-brainer that it should accepted. However, that is not completely the case. In order to present voters a comprehensive view on the subject both pros and cons will be emphasized.
Pros
to be written
Cons
to be written
Backward Incompatible Changes
There are no backward incompatible changes.
Proposed PHP Version(s)
next PHP 7.x
RFC Impact
php.ini defaults
The following ini values will be added.
- session.cookie_samesite
The default value is the empty string in both default development and production php.ini.
Proposed Voting Choices
This RFC requires a 50%+1 majority.