Am 18.07.2017 um 15:45 schrieb Marco Pivetta:
Hey Andrey,
On Mon, Jul 17, 2017 at 11:11 PM, Frederik Bosch | Genkgo <f.bo...@genkgo.nl
wrote:
LS,
Today I finished writing the RFC for implementing same site cookies in
PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive
your remarks on the proposal, and improve when necessary.
For those (only) interested in code, have a look at PR # 2613:
https://github.com/php/php-src/pull/2613.
For the record, I am just a messenger in this regard. Someone uploaded a
patch for this feature in bug #72230: https://bugs.php.net/bug.php?i
d=72230. I just took the opportunity to create a PR and the corresponding
RFC. Credits for the code go to xistence at 0x90 dot nl.
Hopefully, the samesite cookie flag will become a feature of the PHP
language through this RFC!
The current `setcookie` method has 7 parameters, of which 6 are optional.
This is already a mess, as any default value change introduced for either
forward-compliance or security issue compliance would result in a BC break.
This RFC suggests adding even more parameters (URGH), and increasing the
issue impact.
I had already expressed this issue in https://wiki.php.net/rfc/openssl_aead,
which made the `openssl_encrypt` endpoint a mess to deal with: an
n-dimensional space of optional parameters and possible method behavior
combinations :-P
Imagine all the picturesque ways that people could come up with to do
crypto the wrong way! Fascinating!
Creating a cookie string in userland is trivial, and the `setcookie`
functionality should just be left alone and maybe deprecated, IMO
i don't share your optinion, especially talking about 'should be
deprecated' where i get the feeling some peoples hobby is deprecate
working things
comparing cookie params with encryption is hopefully just kidding
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
