PHP RFC: Same Site Cookie

• Version: 0.9
• Date: 2017-07-16
• Author of RFC and creator of PR: Frederik Bosch, f.bosch@genkgo.nl
• Author of original patch: xistence at 0x90 dot nl
• Status: Draft
• First Published at: https://wiki.php.net/rfc/same-site-cookie

Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. The technology is currently a proposed web standard. However, same site cookies are already adopted by Chrome and planned by planned by Firefox. Major PHP frameworks already implemented this through a custom Set-Cookie header call. The RFC will try to convince voters that same site cookies should be available as a core language feature.

The proposal affects four functions in the PHP API.

1. setcookie
2. setrawcookie
3. session_set_cookie_params
4. session_get_cookie_params

to be written

to be written

to be written

to be written

This RFC affects the security of PHP installations. Therefore it might seem that is a no-brainer that it should accepted. However, that is not completely the case. In order to present voters a comprehensive view on the subject both pros and cons will be emphasized.

to be written

to be written

There are no backward incompatible changes.

next PHP 7.x

The following ini values will be added.

• session.cookie_samesite

The default value is the empty string in both default development and production php.ini.

This RFC requires a 50%+1 majority.

• Github PR #2613

• PHP BUG #72230 Add SameSite Cookies to setcookie()
• Proposal of SameSite cookie as standard
• CSRF is dead
• browsers that implement SameSite cookie