rfc:same-site-parameter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
Last revisionBoth sides next revision
rfc:same-site-parameter [2022/12/02 02:32] – Created first draft girgiasrfc:same-site-parameter [2023/01/14 15:11] – PR link girgias
Line 6: Line 6:
   * Status: Under Discussion   * Status: Under Discussion
   * Target Version: PHP 8.3   * Target Version: PHP 8.3
-  * Implementation: [[https://github.com/php/php-src/pull/7546]]+  * Implementation: [[https://github.com/php/php-src/pull/10317]]
   * First Published at: [[http://wiki.php.net/rfc/same-site-parameter]]   * First Published at: [[http://wiki.php.net/rfc/same-site-parameter]]
  
Line 18: Line 18:
 ==== Background and Motivation ==== ==== Background and Motivation ====
  
-Support for the SameSite attribute was added in https://wiki.php.net/rfc/same-site-cookie, the vote was split between two implementations, the one which was implemented, changing the 3rd argument to accept an array of optional attributes referenced by keys, and adding a SameSite parameter.+Support for the SameSite attribute was added in the [[rfc:same-site-cookie|Same Site Cookie]] RFC, the vote was split between two implementations, the one which was implemented, changing the 3rd argument to accept an array of optional attributes referenced by keys, and adding a SameSite parameter.
  
 The proposal to add a SameSite parameter was unanimously declined, however, we believe this proposal should be revisited as PHP has changed and gained additional capabilities since version 7.3. The proposal to add a SameSite parameter was unanimously declined, however, we believe this proposal should be revisited as PHP has changed and gained additional capabilities since version 7.3.
Line 40: Line 40:
 </PHP> </PHP>
  
-Which contains the 3 valid values for the SameSite attribute https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute+Which contains the 3 valid values for the SameSite attribute defined in the [[https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute|IETF 6265 RFC draft]].
  
 Secondly, add a <php>SameSite $sameSite = SameSite::Lax</php> parameter to: Secondly, add a <php>SameSite $sameSite = SameSite::Lax</php> parameter to:
  
-  * <php>setcookie()</php> +  * <php>setcookie(string $name, string $value = "", array|int $expires_or_options = 0, string $path = "", string $domain = "", bool $secure = false, bool $httponly = false, SameSite $sameSite = SameSite::Lax)</php> 
-  * <php>setrawcookie()</php> +  * <php>setrawcookie(string $name, string $value = "", array|int $expires_or_options = 0, string $path = "", string $domain = "", bool $secure = false, bool $httponly = false, SameSite $sameSite = SameSite::Lax)</php> 
-  * <php>session_set_cookie_params()</php>+  * <php>session_set_cookie_params(array|int $lifetime_or_options, ?string $path = null, ?string $domain = null, ?bool $secure = null, ?bool $httponly = null, SameSite $sameSite = SameSite::Lax)</php>
    
 Moreover, if attempting to set the SameSite attribute to None, the Secure attribute must be set, otherwise a ValueError will be raised. Moreover, if attempting to set the SameSite attribute to None, the Secure attribute must be set, otherwise a ValueError will be raised.
-This behaviour aligns will REFERENCE TO RFC 6265bis (or other) SECTION+This behaviour aligns with section 5.6.19 of the [[https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/|Draft IETF RFC 6265bis]]: 
 +<blockquote> 
 +19.  If the cookie's "same-site-flag" is "None", abort these steps and ignore the cookie entirely unless the cookie's secure-only-flag is true. 
 +</blockquote>
  
 ==== Implementation details ==== ==== Implementation details ====
  
-Currently, if an invalid or no SameSite attribute is set, the Set-Cookie header is emit without the Default value and uses the default behaviour, which used to be ''SameSite:None'' but is being replaced by ''SameSite:Lax'' in the IETF RFC 6265bis Cookies: HTTP State Management Mechanism draft, and this behavioural change has started in some user agents.+Currently, if no SameSite attribute is set, the Set-Cookie header is emitted without any ''SameSite'' attribute relying on the default behaviour of user agents, which used to be ''SameSite=None'' but is being replaced by ''SameSite=Lax'' in the IETF RFC 6265bis Cookies: HTTP State Management Mechanism draft, and this behavioural change has already started in some user agents.
  
 As it is recommended to set this attribute, we align the default value with the draft internet standard. As it is recommended to set this attribute, we align the default value with the draft internet standard.
Line 64: Line 67:
 This RFC does not contain any backwards incompatible changes for the PHP 8 major release cycle. This RFC does not contain any backwards incompatible changes for the PHP 8 major release cycle.
  
-In PHP 9, the <php>SameSite $sameSite = SameSite::Lax</php> value will be enforced.+In PHP 9, the <php>SameSite $sameSite = SameSite::Lax</php> value will be enforced. Meaning, every cookie header set via the relevant function will contain the ''SameSite=Lax'' attribute.
  
 ===== Proposed PHP Version ===== ===== Proposed PHP Version =====
Line 74: Line 77:
 As per the voting RFC a yes/no vote with a 2/3 majority is needed for this proposal to be accepted. As per the voting RFC a yes/no vote with a 2/3 majority is needed for this proposal to be accepted.
  
-Voting started on 2022-XX-XX and will end on 2022-XX-XX.+Voting started on 2023-XX-XX and will end on 2023-XX-XX.
 <doodle title="Accept Add SameSite cookie attribute parameter RFC?" auth="girgias" voteType="single" closed="true"> <doodle title="Accept Add SameSite cookie attribute parameter RFC?" auth="girgias" voteType="single" closed="true">
    * Yes    * Yes
Line 82: Line 85:
 ===== Implementation ===== ===== Implementation =====
  
-GitHub pull request: https://github.com/php/php-src/pull/XXXX+GitHub pull request: https://github.com/php/php-src/pull/10317
  
 After the project is implemented, this section should contain After the project is implemented, this section should contain
rfc/same-site-parameter.txt · Last modified: 2023/01/15 00:53 by theodorejb

Page Tools