We need the "Partitioned" parameter to be added to setcookie() options. #12646
Comments
|
Precedent: SameSite was implemented in PHP while the standard was still in draft status, with the rationale being that other libraries had already implemented it. Symfony has added support for Partitioned. This may require an RFC, if just to decide once and for all whether or not to: There is a similar RFC for SameSite that's gone stale. |
|
Certainly not hard to implement at our side. Here's a proof-of-concept that adds the option to the setcookie() $options argument: #12652 I'm not sure whether adding the option to the $options array requires an RFC, but probably changing the signature does indeed. I agree with Damian that should be resolved together with "what to do with SameSite argument?" and we should indeed answer the a, b, c questions too. |
Well, the array already allows more than args, so it wasn't a problem before as I see it :) |
This comment was marked as duplicate.
This comment was marked as duplicate.
|
Google has sent out the notification that 1% of all chrome browsers will be using this on Jan 4, 2024! If this has not been handled elsewhere I think it needs to be put on high priority. Especially the $options version of setcookie as it already added samesite. |
|
As requested by Ilija I sent an email to the mailing list to be able to move forward with the PR. |
|
It might also be necessary to include this option in the list of arguments for the |
|
To be clear, is there an alternative option for setting cookies if the |
|
@dxh9845 there are a couple of other alternatives to partitioned cookies suggested by chrome. |
|
@dxh9845 it's possible, using header() directly (as suggested on the setcookie docs page) . It's not a particularly elegant solution by any measure, but it works just fine for Chrome partitioning support. |
|
@dxh9845 I just tried the following and it seems to work. Maybe someone can let us know if this is not a reliable solution. |
|
Hi, glad to see you all are working on this. The warnings in Chrome are getting scarier :) |
|
It would be nice if the native |
|
I'm going to work on an RFC, that includes the session and setcookie stuff, sometime in the near future such that 8.4 will support this. |
To opt a cookie in to Chrome's 3rd party cookie partitioning solution, CHIPS, the property 'Partitioned;' needs to be set. This adds a helper class supporting this, for a given cookie(s). Note also, PHP's native cookie APIs (setcookie, etc) don't support this cookie property yet - (php/php-src#12646). Since this class is intended to allow existing Set-Cookie headers to be modified before being sent (e.g. allowing clients to set a property on a cookie set elsewhere in code), it deals with the headers directly anyway but it means that new cookies must also use this helper to opt-in, instead of relying on setcookie(). E.g. where the intent is to add partitioning support to a new cookie, that cookie must first be set (setcookie) and then it may opt-in to partitioning via this helper; partitioning support cannot be achieved directly through setcookie and friends yet.
To opt a cookie in to Chrome's 3rd party cookie partitioning solution, CHIPS, the property 'Partitioned;' needs to be set. This adds a helper class supporting this, for a given cookie(s). Note also, PHP's native cookie APIs (setcookie, etc) don't support this cookie property yet - (php/php-src#12646). Since this class is intended to allow existing Set-Cookie headers to be modified before being sent (e.g. allowing clients to set a property on a cookie set elsewhere in code), it deals with the headers directly anyway but it means that new cookies must also use this helper to opt-in, instead of relying on setcookie(). E.g. where the intent is to add partitioning support to a new cookie, that cookie must first be set (setcookie) and then it may opt-in to partitioning via this helper; partitioning support cannot be achieved directly through setcookie and friends yet.
To opt a cookie in to Chrome's 3rd party cookie partitioning solution, CHIPS, the property 'Partitioned;' needs to be set. This adds a helper class supporting this, for a given cookie(s). Note also, PHP's native cookie APIs (setcookie, etc) don't support this cookie property yet - (php/php-src#12646). Since this class is intended to allow existing Set-Cookie headers to be modified before being sent (e.g. allowing clients to set a property on a cookie set elsewhere in code), it deals with the headers directly anyway but it means that new cookies must also use this helper to opt-in, instead of relying on setcookie(). E.g. where the intent is to add partitioning support to a new cookie, that cookie must first be set (setcookie) and then it may opt-in to partitioning via this helper; partitioning support cannot be achieved directly through setcookie and friends yet.
To opt a cookie in to Chrome's 3rd party cookie partitioning solution, CHIPS, the property 'Partitioned;' needs to be set. This adds a helper class supporting this, for a given cookie(s). Note also, PHP's native cookie APIs (setcookie, etc) don't support this cookie property yet - (php/php-src#12646). Since this class is intended to allow existing Set-Cookie headers to be modified before being sent (e.g. allowing clients to set a property on a cookie set elsewhere in code), it deals with the headers directly anyway but it means that new cookies must also use this helper to opt-in, instead of relying on setcookie(). E.g. where the intent is to add partitioning support to a new cookie, that cookie must first be set (setcookie) and then it may opt-in to partitioning via this helper; partitioning support cannot be achieved directly through setcookie and friends yet.
|
It tried it, it looks good. |
|
Setting the cookie via the HTTP Header (which is the way implemented by Symfony https://symfony.com/blog/new-in-symfony-6-4-chips-cookies) is not feasible with session cookies. The option for partitioned ones needs to be set also there: https://www.php.net/manual/en/session.configuration.php |
But you can still write your own session cookie handler/manager... Not the best solution, but still better than nothing. |
|
This worked for me: setcookie('cookie', $cipherData, [
'expires' => strtotime('+ 3 hours'),
'path' => '/',
'httponly' => true,
'secure' => true,
'samesite' => 'None; Partitioned' /* Hack to make CHIPS: https://github.com/php/php-src/issues/12646 */
]); |
If you want that all cookies use this (even the PHPSESSID), you can do something like this this before |
|
I use the following, for apache2/PHP, that works with firefox 132.0 and chrome 130.0.6723.92. session_name is here to be able to track things in a cross-domain case, both on PHP |
Description
As stated here (link), soon our cookies with
SameSite=None; Secured, without thePartitionedparameter, will stop working.Currently, there is no capability to add this parameter through
setcookie(). A temporary solution could be to useheader()to form the header, but it would be better to avoid this.Google Chrome marks these cookies as deprecated already:
The text was updated successfully, but these errors were encountered: