Re: [PHP-DEV] [RFC] samesite cookie implementation

On 25.08.2017 at 22:54, Lars Strojny wrote: > I strongly believe this is something we should ship with 7.2. That > would give the ecosystem a 1-year head with a feature that could > eventually help eradicate CSRF. I would argue that this is worth the > unorthodox circumnavigation of our policies.

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hi everybody, I strongly believe this is something we should ship with 7.2. That would give the ecosystem a 1-year head with a feature that could eventually help eradicate CSRF. I would argue that this is worth the unorthodox circumnavigation of our policies. Do you think that’s outrageously

Re: [PHP-DEV] [RFC] samesite cookie implementation

LS, Because of the valid arguments to set(raw)cookie and session_set_cookie_params to become lengthly functions, I reconsidered the proposal. It now consists of two possibilities. One is add samesite as argument and second one is to have these functions accept an array of options. One can rea

Re: [PHP-DEV] [RFC] samesite cookie implementation

LS, All concerns that have been put forward are updated in the RFC document. See https://wiki.php.net/rfc/same-site-cookie. I am going to start the voting on August 1, 2017. Exactly two weeks after I posted the RFC on the internals list. If new concerns are put forward in the meanwhile, I wil

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hi Andrey, Thanks for you remark. If I understand correctly, PHP was 4-5 years ahead of HttpOnly becoming an actual standard. What a leaders they were back then. Best, Frederik On 19-07-17 17:06, Andrey Andreev wrote: Hi, Not realizing I was looking at EOL dates, I (unintentionally) prov

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hi, Not realizing I was looking at EOL dates, I (unintentionally) provided some wrong info yesterday: On Tue, Jul 18, 2017 at 5:13 PM, Andrey Andreev wrote: > > - HttpOnly was released with PHP 5.2.0 in January 2011 - just 3 months prior > to IETF RFC 6265 (April 2011) becoming a standards track

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hi again, On Tue, Jul 18, 2017 at 4:23 PM, Frederik Bosch | Genkgo wrote: > Hi Andrey, > > Thanks for your feedback. If we are going to wait for http_cookie_set, > then my guess will be that it will take a while before we see samesite > cookie implemented. While I totally agree there is need for

Re: [PHP-DEV] [RFC] samesite cookie implementation

Am 18.07.2017 um 16:00 schrieb Marco Pivetta: On Tue, Jul 18, 2017 at 3:50 PM, li...@rhsoft.net mailto:li...@rhsoft.net>> wrote: i don't share your optinion, especially talking about 'should be deprecated' where i get the feeling some peoples hobby is deprec

Re: [PHP-DEV] [RFC] samesite cookie implementation

On Tue, Jul 18, 2017 at 3:50 PM, li...@rhsoft.net wrote: > i don't share your optinion, especially talking about 'should be > deprecated' where i get the feeling some peoples hobby is deprecate working > things > > comparing cookie params with encryption is hopefully just kidding > It could be a

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hey Andrey, On Mon, Jul 17, 2017 at 11:11 PM, Frederik Bosch | Genkgo wrote: > LS, > > Today I finished writing the RFC for implementing same site cookies in > PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive > your remarks on the proposal, and improve when necessary. > > For

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hi Marco, Great feedback. I have to think about it, but your concerns are valid for sure. The RFC is, however, broader then only setcookie and setrawcookie. How about session_set/get_cookie_params? Would you be able to accept the RFC if samesite would only be added to session? Why or why not?

Re: [PHP-DEV] [RFC] samesite cookie implementation

Am 18.07.2017 um 15:45 schrieb Marco Pivetta: Hey Andrey, On Mon, Jul 17, 2017 at 11:11 PM, Frederik Bosch | Genkgo wrote: LS, Today I finished writing the RFC for implementing same site cookies in PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your remarks on the pro

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hey Andrey, On Mon, Jul 17, 2017 at 11:11 PM, Frederik Bosch | Genkgo wrote: > LS, > > Today I finished writing the RFC for implementing same site cookies in > PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive > your remarks on the proposal, and improve when necessary. > > For

Re: [PHP-DEV] [RFC] samesite cookie implementation

> On Jul 18, 2017, at 08:37, li...@rhsoft.net wrote: > > > > Am 18.07.2017 um 15:23 schrieb Frederik Bosch | Genkgo: >> Hi Andrey, >> Thanks for your feedback. If we are going to wait for http_cookie_set, then >> my guess will be that it will take a while before we see samesite cookie >> impl

Re: [PHP-DEV] [RFC] samesite cookie implementation

Am 18.07.2017 um 15:23 schrieb Frederik Bosch | Genkgo: Hi Andrey, Thanks for your feedback. If we are going to wait for http_cookie_set, then my guess will be that it will take a while before we see samesite cookie implemented. While I totally agree there is need for a new function with a

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hi Andrey, Thanks for your feedback. If we are going to wait for http_cookie_set, then my guess will be that it will take a while before we see samesite cookie implemented. While I totally agree there is need for a new function with a better API, I fail to see why that would mean we cannot ha

Re: [PHP-DEV] [RFC] samesite cookie implementation

Hi Frederik, On Tue, Jul 18, 2017 at 12:11 AM, Frederik Bosch | Genkgo wrote: > LS, > > Today I finished writing the RFC for implementing same site cookies in PHP, > https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your > remarks on the proposal, and improve when necessary. > > Fo

[PHP-DEV] [RFC] samesite cookie implementation

LS, Today I finished writing the RFC for implementing same site cookies in PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your remarks on the proposal, and improve when necessary. For those (only) interested in code, have a look at PR # 2613: https://github.com/php/php