Hey Andrey, On Mon, Jul 17, 2017 at 11:11 PM, Frederik Bosch | Genkgo <f.bo...@genkgo.nl > wrote:
> LS, > > Today I finished writing the RFC for implementing same site cookies in > PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive > your remarks on the proposal, and improve when necessary. > > For those (only) interested in code, have a look at PR # 2613: > https://github.com/php/php-src/pull/2613. > > For the record, I am just a messenger in this regard. Someone uploaded a > patch for this feature in bug #72230: https://bugs.php.net/bug.php?i > d=72230. I just took the opportunity to create a PR and the corresponding > RFC. Credits for the code go to xistence at 0x90 dot nl. > > Hopefully, the samesite cookie flag will become a feature of the PHP > language through this RFC! > The (already) infinite signature of this function just adds up some more scenarios where BC compliance becomes a problem. The current `setcookie` method has 7 parameters, of which 6 are optional. This is already a mess, as any default value change introduced for either forward-compliance or security issue compliance would result in a BC break. This RFC suggests adding even more parameters (URGH), and increasing the issue impact. I had already expressed this issue in https://wiki.php.net/rfc/openssl_aead, which basically passed Honestly, API Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/
