PHP RFC: Same Site Cookie

• Version: 0.9
• Date: 2017-07-16
• Author of RFC and creator of PR: Frederik Bosch, f.bosch@genkgo.nl
• Author of original patch: xistence at 0x90 dot nl
• Status: Draft
• First Published at: https://wiki.php.net/rfc/same-site-cookie

Same-site cookies allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. The technology is currently a proposed web standard. However, same site cookies are already adopted by Chrome and planned by planned by Firefox. Major PHP frameworks already implemented this through a custom Set-Cookie header call. The RFC will try to convince voters that same site cookies should be available as a core language feature.

According to the proposed standard, there are now two possibilities for a cookie that is using the samesite flag: “Lax” and “Strict”. In order to add this samesite flag to issued, four core functions will be affected by this RFC.

1. setcookie
2. setrawcookie
3. session_set_cookie_params
4. session_get_cookie_params

The syntax of the setcookie function will get an extra argument samesite.

bool setcookie ( string $name [, string $value = "" [, int $expire = 0 [, string $path = "" [, string $domain = "" [, bool $secure = false [, bool $httponly = false [, string $samesite = "" ]]]]]]] )

The syntax of the setrawcookie function will get an extra argument samesite.

bool setrawcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false [, string $samesite = "" ] ]]]]]] )

The syntax of the session_set_cookie_param function will get an extra argument samesite.

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false [, string $samesite = "" ]]]]] )

The return value of the session_get_cookie_params function will have an extra key samesite in the returned array.

array(
  "lifetime" => 0,             // The lifetime of the cookie in seconds.
  "path" => "/",               // The path where information is stored.
  "domain" => "example.org",   // The domain of the cookie.
  "secure" => true,            // The cookie should only be sent over secure connections.
  "httponly" => true,          // The cookie can only be accessed through the HTTP protocol.
  "samesite" => "Strict"       // The cookie can only be accessed if it was initiated from the same registrable domain.
)

This RFC affects the security of PHP installations. Therefore it might seem that is a no-brainer that it should accepted. However, that is not completely the case. In order to present voters a comprehensive view on the subject both pros and cons will be emphasized.

to be written

to be written

There are no backward incompatible changes.

next PHP 7.x

The following ini values will be added.

• session.cookie_samesite

The default value is the empty string in both default development and production php.ini.

This RFC requires a 50%+1 majority.

• Github PR #2613

• PHP BUG #72230 Add SameSite Cookies to setcookie()
• Proposal of SameSite cookie as standard
• CSRF is dead
• browsers that implement SameSite cookie