Hi, On Thu, Sep 20, 2018 at 12:12 PM, Christoph M. Becker <cmbecke...@gmx.de> wrote: > On 20.09.2018 at 08:15, Nicolas Grekas wrote: > >> yesterday I submitted https://bugs.php.net/76906 to report that I wasn't >> able to set the "samesite" attribute on cookies while I followed what's >> been approved in https://wiki.php.net/rfc/same-site-cookie >> >> Damian answered on the bug report that the $options argument has swallowed >> the lifetime one, so that $options is now the 3rd arg and not the 4th as >> noted in the RFC. >> >> He suggested me to raise the topic on internals, so here we are. >> >> Are we fine with this? If yes, shouldn't an errata be added to the RFC so >> that ppl aren't confused like I was? > > Related discussion: <https://externals.io/message/100304#102909>ff. > > Not sure if an errata (or amendment) should be added to the RFC, or > whether it is sufficient to document the new signatures in the manual > proper and the migration guide. >
A reminder of some rather ... out of the ordinary things that led us here: - The RFC author was trying to rush *any* kind of SameSite implementation for 7.2, but eventually agreed mid-vote (https://externals.io/message/100304#100319) to give it another year for proper discussion, modifications, etc. - However, the vote was not closed and I still question whether it should be considered valid at all, but if so, it was voted-in WITH an explicit $expires parameter for setcookie(), setrawcookie() and an explicit $lifetime parameter for session_set_cookie_params(). - As it often happens, no further discussion happened on the list until 7.3 FF was just about to happen. - It was suggested that we move $expires/$lifetime inside the array, and we agreed for that on session_set_cookie_params(), but for set[raw]cookie(), it was basically one person for it and another one (me) against it. We didn't reach an agreement; here's the last on-topic email about it: https://externals.io/message/100304#102964 Since a PR with that change has been merged, apparently a side was chosen and so be it, I guess. But given all of the above, I think adding an errata to the RFC is the least that should be done. Cheers, Andrey. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
