Hey Andrey, On Mon, Jul 17, 2017 at 11:11 PM, Frederik Bosch | Genkgo <f.bo...@genkgo.nl > wrote:
> LS, > > Today I finished writing the RFC for implementing same site cookies in > PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive > your remarks on the proposal, and improve when necessary. > > For those (only) interested in code, have a look at PR # 2613: > https://github.com/php/php-src/pull/2613. > > For the record, I am just a messenger in this regard. Someone uploaded a > patch for this feature in bug #72230: https://bugs.php.net/bug.php?i > d=72230. I just took the opportunity to create a PR and the corresponding > RFC. Credits for the code go to xistence at 0x90 dot nl. > > Hopefully, the samesite cookie flag will become a feature of the PHP > language through this RFC! > The current `setcookie` method has 7 parameters, of which 6 are optional. This is already a mess, as any default value change introduced for either forward-compliance or security issue compliance would result in a BC break. This RFC suggests adding even more parameters (URGH), and increasing the issue impact. I had already expressed this issue in https://wiki.php.net/rfc/openssl_aead, which made the `openssl_encrypt` endpoint a mess to deal with: an n-dimensional space of optional parameters and possible method behavior combinations :-P Imagine all the picturesque ways that people could come up with to do crypto the wrong way! Fascinating! Creating a cookie string in userland is trivial, and the `setcookie` functionality should just be left alone and maybe deprecated, IMO. Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/
