Hi again, On Tue, Jul 18, 2017 at 4:23 PM, Frederik Bosch | Genkgo <f.bo...@genkgo.nl> wrote:
> Hi Andrey, > > Thanks for your feedback. If we are going to wait for http_cookie_set, > then my guess will be that it will take a while before we see samesite > cookie implemented. While I totally agree there is need for a new function > with a better API, I fail to see why that would mean we cannot have a > samesite argument in the set(raw)cookie functions now. The RFC is in line > with the design of these functions. > I don't know what you mean by "now" ... it's not like it can happen overnight. With regard to browsers not implementing it, let me quote the currrent > documentation on the httponly argument. "It has been suggested that this > setting can effectively help to reduce identity theft through XSS attacks > (although it is not supported by all browsers), but that claim is often > disputed." Basically it says that it is not supported by all browsers, but > provides help reducing XSS attacks. I don't see the difference with > samesite. > Well, if you insist on comparing the two ... - HttpOnly was released with PHP 5.2.0 in January 2011 - just 3 months prior to IETF RFC 6265 (April 2011) becoming a standards track. - SameSite has only a single IETF draft, which has expired because it's been inactive for a year. I too want to see SameSite cookies added to PHP's standard library, but this is certainly not a thing that needs to happen yesterday. There's no reason not to wait for the http_cookie_set() proposal. And I too agree that adding a millionth parameter to setcookie() is the wrong approach anyway. Cheers, Andrey.
