rfc:same-site-parameter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
rfc:same-site-parameter [2022/12/02 02:32] – Created first draft girgiasrfc:same-site-parameter [2023/01/15 00:53] (current) – Fix typos theodorejb
Line 6: Line 6:
   * Status: Under Discussion   * Status: Under Discussion
   * Target Version: PHP 8.3   * Target Version: PHP 8.3
-  * Implementation: [[https://github.com/php/php-src/pull/7546]]+  * Implementation: [[https://github.com/php/php-src/pull/10317]]
   * First Published at: [[http://wiki.php.net/rfc/same-site-parameter]]   * First Published at: [[http://wiki.php.net/rfc/same-site-parameter]]
  
Line 12: Line 12:
  
 The support for the SameSite cookie attribute has been added in PHP 7.3. The support for the SameSite cookie attribute has been added in PHP 7.3.
-However, it can only be set by passing an array of options with the ''"samesite"'' key defied to the chosen value, this contrasts with all the other attributes.+However, it can only be set by passing an array of options with the ''"samesite"'' key defined to the chosen value, this contrasts with all the other attributes.
  
 This RFC proposes to add a SameSite parameter to all relevant functions. This RFC proposes to add a SameSite parameter to all relevant functions.
Line 18: Line 18:
 ==== Background and Motivation ==== ==== Background and Motivation ====
  
-Support for the SameSite attribute was added in https://wiki.php.net/rfc/same-site-cookie, the vote was split between two implementations, the one which was implemented, changing the 3rd argument to accept an array of optional attributes referenced by keys, and adding a SameSite parameter.+Support for the SameSite attribute was added in the [[rfc:same-site-cookie|Same Site Cookie]] RFC, the vote was split between two implementations, the one which was implemented, changing the 3rd argument to accept an array of optional attributes referenced by keys, and adding a SameSite parameter.
  
 The proposal to add a SameSite parameter was unanimously declined, however, we believe this proposal should be revisited as PHP has changed and gained additional capabilities since version 7.3. The proposal to add a SameSite parameter was unanimously declined, however, we believe this proposal should be revisited as PHP has changed and gained additional capabilities since version 7.3.
Line 29: Line 29:
 ===== Proposal ===== ===== Proposal =====
  
-The proposal consists of two part.+The proposal consists of two parts.
 First, add the following enumeration: First, add the following enumeration:
  
Line 40: Line 40:
 </PHP> </PHP>
  
-Which contains the 3 valid values for the SameSite attribute https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute+Which contains the 3 valid values for the SameSite attribute defined in the [[https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute|IETF 6265 RFC draft]].
  
 Secondly, add a <php>SameSite $sameSite = SameSite::Lax</php> parameter to: Secondly, add a <php>SameSite $sameSite = SameSite::Lax</php> parameter to:
  
-  * <php>setcookie()</php> +  * <php>setcookie(string $name, string $value = "", array|int $expires_or_options = 0, string $path = "", string $domain = "", bool $secure = false, bool $httponly = false, SameSite $sameSite = SameSite::Lax)</php> 
-  * <php>setrawcookie()</php> +  * <php>setrawcookie(string $name, string $value = "", array|int $expires_or_options = 0, string $path = "", string $domain = "", bool $secure = false, bool $httponly = false, SameSite $sameSite = SameSite::Lax)</php> 
-  * <php>session_set_cookie_params()</php>+  * <php>session_set_cookie_params(array|int $lifetime_or_options, ?string $path = null, ?string $domain = null, ?bool $secure = null, ?bool $httponly = null, SameSite $sameSite = SameSite::Lax)</php>
    
 Moreover, if attempting to set the SameSite attribute to None, the Secure attribute must be set, otherwise a ValueError will be raised. Moreover, if attempting to set the SameSite attribute to None, the Secure attribute must be set, otherwise a ValueError will be raised.
-This behaviour aligns will REFERENCE TO RFC 6265bis (or other) SECTION+This behaviour aligns with section 5.6.19 of the [[https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/|Draft IETF RFC 6265bis]]: 
 +<blockquote> 
 +19.  If the cookie's "same-site-flag" is "None", abort these steps and ignore the cookie entirely unless the cookie's secure-only-flag is true. 
 +</blockquote>
  
 ==== Implementation details ==== ==== Implementation details ====
  
-Currently, if an invalid or no SameSite attribute is set, the Set-Cookie header is emit without the Default value and uses the default behaviour, which used to be ''SameSite:None'' but is being replaced by ''SameSite:Lax'' in the IETF RFC 6265bis Cookies: HTTP State Management Mechanism draft, and this behavioural change has started in some user agents.+Currently, if no SameSite attribute is set, the Set-Cookie header is emitted without any ''SameSite'' attribute relying on the default behaviour of user agents, which used to be ''SameSite=None'' but is being replaced by ''SameSite=Lax'' in the IETF RFC 6265bis Cookies: HTTP State Management Mechanism draft, and this behavioural change has already started in some user agents.
  
 As it is recommended to set this attribute, we align the default value with the draft internet standard. As it is recommended to set this attribute, we align the default value with the draft internet standard.
Line 64: Line 67:
 This RFC does not contain any backwards incompatible changes for the PHP 8 major release cycle. This RFC does not contain any backwards incompatible changes for the PHP 8 major release cycle.
  
-In PHP 9, the <php>SameSite $sameSite = SameSite::Lax</php> value will be enforced.+In PHP 9, the <php>SameSite $sameSite = SameSite::Lax</php> value will be enforced. Meaning, every cookie header set via the relevant function will contain the ''SameSite=Lax'' attribute.
  
 ===== Proposed PHP Version ===== ===== Proposed PHP Version =====
Line 74: Line 77:
 As per the voting RFC a yes/no vote with a 2/3 majority is needed for this proposal to be accepted. As per the voting RFC a yes/no vote with a 2/3 majority is needed for this proposal to be accepted.
  
-Voting started on 2022-XX-XX and will end on 2022-XX-XX.+Voting started on 2023-XX-XX and will end on 2023-XX-XX.
 <doodle title="Accept Add SameSite cookie attribute parameter RFC?" auth="girgias" voteType="single" closed="true"> <doodle title="Accept Add SameSite cookie attribute parameter RFC?" auth="girgias" voteType="single" closed="true">
    * Yes    * Yes
Line 82: Line 85:
 ===== Implementation ===== ===== Implementation =====
  
-GitHub pull request: https://github.com/php/php-src/pull/XXXX+GitHub pull request: https://github.com/php/php-src/pull/10317
  
 After the project is implemented, this section should contain After the project is implemented, this section should contain
rfc/same-site-parameter.1669948375.txt.gz · Last modified: 2022/12/02 02:32 by girgias

Page Tools