Re: [PHP-DEV] [RFC] samesite cookie implementation

Tue, 18 Jul 2017 06:37:49 -0700 


Am 18.07.2017 um 15:23 schrieb Frederik Bosch | Genkgo:

Hi Andrey,


Thanks for your feedback. If we are going to wait for http_cookie_set, 
then my guess will be that it will take a while before we see samesite 
cookie implemented. While I totally agree there is need for a new 
function with a better API, I fail to see why that would mean we cannot 
have a samesite argument in the set(raw)cookie functions now. The RFC is 
in line with the design of these functions.



With regard to browsers not implementing it, let me quote the currrent 
documentation on the httponly argument. "It has been suggested that this 
setting can effectively help to reduce identity theft through XSS 
attacks (although it is not supported by all browsers), but that claim 
is often disputed." Basically it says that it is not supported by all 
browsers, but provides help reducing XSS attacks. I don't see the 
difference with samesite.


which browser in 2017 does not support 'httponly'?
that was true a decade ago, now that parapgraph in the docs is just FUD


On 18-07-17 12:37, Andrey Andreev wrote:

Hi Frederik,

On Tue, Jul 18, 2017 at 12:11 AM, Frederik Bosch | Genkgo
<f.bo...@genkgo.nl> wrote:

LS,


Today I finished writing the RFC for implementing same site cookies 
in PHP,

https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your
remarks on the proposal, and improve when necessary.

For those (only) interested in code, have a look at PR # 2613:
https://github.com/php/php-src/pull/2613.

For the record, I am just a messenger in this regard. Someone uploaded a

patch for this feature in bug #72230: 
https://bugs.php.net/bug.php?id=72230.

I just took the opportunity to create a PR and the corresponding RFC.
Credits for the code go to xistence at 0x90 dot nl.

Hopefully, the samesite cookie flag will become a feature of the PHP
language through this RFC!


Unfortunately, all of the cons you've explained in the RFC are very
valid concerns.
I'd rather first see what happens with http_cookie_set() that's being
talked about in another thread currently (I suspect inspired by this)


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php























					Reply via email to