Re: [PHP-DEV] [RFC] samesite cookie implementation

Tue, 18 Jul 2017 06:24:11 -0700 

Hi Andrey,
Thanks for your feedback. If we are going to wait for http_cookie_set, then my guess will be that it will take a while before we see samesite cookie implemented. While I totally agree there is need for a new function with a better API, I fail to see why that would mean we cannot have a samesite argument in the set(raw)cookie functions now. The RFC is in line with the design of these functions. 


With regard to browsers not implementing it, let me quote the currrent 
documentation on the httponly argument. "It has been suggested that this 
setting can effectively help to reduce identity theft through XSS 
attacks (although it is not supported by all browsers), but that claim 
is often disputed." Basically it says that it is not supported by all 
browsers, but provides help reducing XSS attacks. I don't see the 
difference with samesite.


Best,
Frederik



On 18-07-17 12:37, Andrey Andreev wrote:

Hi Frederik,

On Tue, Jul 18, 2017 at 12:11 AM, Frederik Bosch | Genkgo
<f.bo...@genkgo.nl> wrote:

LS,

Today I finished writing the RFC for implementing same site cookies in PHP,
https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your
remarks on the proposal, and improve when necessary.

For those (only) interested in code, have a look at PR # 2613:
https://github.com/php/php-src/pull/2613.

For the record, I am just a messenger in this regard. Someone uploaded a
patch for this feature in bug #72230: https://bugs.php.net/bug.php?id=72230.
I just took the opportunity to create a PR and the corresponding RFC.
Credits for the code go to xistence at 0x90 dot nl.

Hopefully, the samesite cookie flag will become a feature of the PHP
language through this RFC!


Unfortunately, all of the cons you've explained in the RFC are very
valid concerns.
I'd rather first see what happens with http_cookie_set() that's being
talked about in another thread currently (I suspect inspired by this).

Cheers,
Andrey.


--


   Frederik Bosch


     Partner

Genkgo logo
Mail: f.bo...@genkgo.nl <mailto:f.bo...@genkgo.nl>
Web: support.genkgo.com <https://support.genkgo.com>

Entrada 123
Amsterdam
+31 208 943 931


Genkgo B.V. staat geregistreerd bij de Kamer van Koophandel onder nummer 
56501153





















					Reply via email to