Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Mon, Aug 6, 2018 at 5:53 PM Yasuo Ohgaki wrote: > > > On Mon, Jul 30, 2018 at 6:51 PM Andrey Andreev wrote: > >> On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki wrote: >> > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev >> wrote: >> >> >> >> Hi, >> >> >> >> On Sun, Jul 29, 2018 at 7:22 AM, Ya

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Mon, Jul 30, 2018 at 6:51 PM Andrey Andreev wrote: > On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki wrote: > > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev wrote: > >> > >> Hi, > >> > >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki > wrote: > >> > > >> > One thing regarding implementation

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki wrote: > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev wrote: >> >> Hi, >> >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki wrote: >> > >> > One thing regarding implementation. >> > Since the internet RFC has only 2 values for "samesite", the parame

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev wrote: > Hi, > > On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki wrote: > > > > One thing regarding implementation. > > Since the internet RFC has only 2 values for "samesite", the parameter > can > > be > > bool rather than string so that users can a

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi, On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki wrote: > > One thing regarding implementation. > Since the internet RFC has only 2 values for "samesite", the parameter can > be > bool rather than string so that users can avoid "broken security by a typo". > If "samesite" has more than 2 values,

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Mon, Jul 23, 2018 at 10:42 AM Niklas Keller wrote: > Am So., 22. Juli 2018 um 18:11 Uhr schrieb Pedro Magalhães < > m...@pmmaga.net>: > > > > On Sun, Jul 22, 2018 at 2:47 PM Niklas Keller wrote: > > > > > It'd be great to use an OO approach instead of "magic" array keys, > > > e.g. like this:

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Tue, Jul 24, 2018 at 11:37 AM Pedro Magalhães wrote: > Well, "expires" is what ends up in the cookie header itself so I think > that it's simple to remember. But I do understand your arguments on > semantic purity and the fact that Max-Age is derived from it but I still > believe that in this

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi, On Tue, Jul 24, 2018 at 7:37 PM, Pedro Magalhães wrote: > On Sun, Jul 22, 2018 at 6:54 PM Andrey Andreev wrote: >> >> Last, but certainly not least, we talk about $expires here only becase >> that's how it's (currently) named in either documentation and/or >> reflection. But for all intents

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sun, Jul 22, 2018 at 6:54 PM Andrey Andreev wrote: > Last, but certainly not least, we talk about $expires here only becase > that's how it's (currently) named in either documentation and/or > reflection. But for all intents and purposes it may as well be named > $fooBar and it wouldn't matter

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi again, On Sun, Jul 22, 2018 at 6:47 PM, Pedro Magalhães wrote: > On Sun, Jul 22, 2018 at 1:16 PM Andrey Andreev wrote: >> >> But while I didn't quote that part of your >> message, you did also suggest to apply the same decision to other >> functions and so I am talking about all of them. >> >

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Am So., 22. Juli 2018 um 18:52 Uhr schrieb Christoph M. Becker : > > On 22.07.2018 at 18:40, Niklas Keller wrote: > > > Am So., 22. Juli 2018 um 18:11 Uhr schrieb Pedro Magalhães > > : > >> > >> On Sun, Jul 22, 2018 at 2:47 PM Niklas Keller wrote: > >> > >>> It'd be great to use an OO approach in

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On 22.07.2018 at 18:40, Niklas Keller wrote: > Am So., 22. Juli 2018 um 18:11 Uhr schrieb Pedro Magalhães : >> >> On Sun, Jul 22, 2018 at 2:47 PM Niklas Keller wrote: >> >>> It'd be great to use an OO approach instead of "magic" array keys, >>> e.g. like this: >>> >>> https://github.com/amphp/htt

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Am So., 22. Juli 2018 um 18:11 Uhr schrieb Pedro Magalhães : > > On Sun, Jul 22, 2018 at 2:47 PM Niklas Keller wrote: > > > It'd be great to use an OO approach instead of "magic" array keys, > > e.g. like this: > > > > https://github.com/amphp/http/blob/9c0ba2f2ebfae482b3ad7a0475eb3d1f74d87949/src

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sun, Jul 22, 2018 at 2:47 PM Niklas Keller wrote: > It'd be great to use an OO approach instead of "magic" array keys, > e.g. like this: > > https://github.com/amphp/http/blob/9c0ba2f2ebfae482b3ad7a0475eb3d1f74d87949/src/Cookie/CookieAttributes.php > > Regards, Niklas > Hi, While I do agree

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sun, Jul 22, 2018 at 1:16 PM Andrey Andreev wrote: > Ok, I can see how it can be inconvenient for > session_set_cookie_params(), though calling it "extremely" unfriendly > is some exaggeration IMO. Hi, Right, I may have been a bit overly dramatic. :) > But while I didn't quote that part o

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Am So., 22. Juli 2018 um 14:16 Uhr schrieb Andrey Andreev : > > Hi, > > On Sun, Jul 22, 2018 at 2:21 AM, Pedro Magalhães wrote: > > On Sat, Jul 21, 2018 at 11:26 PM Andrey Andreev wrote: > >> > >> Yes. > >> > >> All other "options" are actual *cookie attribute* names, as defined by > >> the vario

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi, On Sun, Jul 22, 2018 at 2:21 AM, Pedro Magalhães wrote: > On Sat, Jul 21, 2018 at 11:26 PM Andrey Andreev wrote: >> >> Yes. >> >> All other "options" are actual *cookie attribute* names, as defined by >> the various IETF RFCs, while "lifetime" is just a convenient name used >> by PHP. It doe

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sun, Jul 22, 2018 at 1:21 AM, Pedro Magalhães wrote: > On Sat, Jul 21, 2018 at 11:26 PM Andrey Andreev wrote: > > > Yes. > > > > All other "options" are actual *cookie attribute* names, as defined by > > the various IETF RFCs, while "lifetime" is just a convenient name used > > by PHP. It doe

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sat, Jul 21, 2018 at 11:26 PM Andrey Andreev wrote: > Yes. > > All other "options" are actual *cookie attribute* names, as defined by > the various IETF RFCs, while "lifetime" is just a convenient name used > by PHP. It doesn't correspond to a particular attribute, but instead > the values for

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi, On Thu, Jul 19, 2018 at 12:00 AM, Pedro Magalhães wrote: > > With this being said, would anyone oppose an implementation where all the > options (including lifetime) are included in the array parameter? > Yes. All other "options" are actual *cookie attribute* names, as defined by the variou

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sat, Jul 21, 2018 at 12:11 PM Christoph M. Becker wrote: > Personally, I'd even prefer this, but that's not what was voted upon, so > I'm not sure if it's okay. Anyhow, the implementation is available as > . Thanks, Pedro! > I personally believe tha

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On 18.07.2018 at 23:00, Pedro Magalhães wrote: > On 28-08-17 21:06, Stanislav Malyshev wrote: > >> Something not clear to me on the second one - why lifetime/expiration is >> a separate parameter while all others are part of $options? > > On Mon, Aug 28, 2017 at 8:53 PM Frederik Bosch wrote: >

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On 28-08-17 21:06, Stanislav Malyshev wrote: > Something not clear to me on the second one - why lifetime/expiration is > a separate parameter while all others are part of $options? On Mon, Aug 28, 2017 at 8:53 PM Frederik Bosch wrote: > 1. The session_set_cookie_params function requires a lif

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Niklas, Sorry for the delay. I have my mind on totally different things these days. Closed the voting and moved it to accepted. Thanks everyone for voting! Now, let's implement this RFC! Best regards, Frederik On 08-10-17 09:46, Niklas Keller wrote: There are no voting dates in the RFC

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

There are no voting dates in the RFC, but it's open for over a month now. I guess it can be closed. Regards, Niklas 2017-08-25 23:19 GMT+02:00 Frederik Bosch : > LS, > > Just now, I opened the RFC on implementing same site cookies in PHP, > https://wiki.php.net/rfc/same-site-cookie, for voting.

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Sara, hi Frederik, Thinking more about this I came to change my vote (and for that reason I’ll take back the suggestion to include it into 7.2): The array API is the better API and allows for healthier future growth so we should pursue that option There is a (very ugly) workaround to s

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Stanislav, My reasoning for this is as follows. 1. The session_set_cookie_params function requires a lifetime parameter at the moment. 2. To enforce that lifetime stays required I did not want to make it required within the optional array. That would make that optional array not optional

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi! > additional argument to these three functions. The second implementation > suggestion is to allow an array of options in which all the cookie > options will be moved into. More details are to be found in the RFC. Something not clear to me on the second one - why lifetime/expiration is a sepa

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Mon, Aug 28, 2017 at 12:10 PM, Frederik Bosch | Genkgo wrote: > Little misunderstanding then. I agree we can better have this PHP 7.3 and > take some time for it. Current votes also suggest that we should go for the > array argument implementation. Since there is only a PR for the extra > argu

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Andrey, Little misunderstanding then. I agree we can better have this PHP 7.3 and take some time for it. Current votes also suggest that we should go for the array argument implementation. Since there is only a PR for the extra argument implementation, it will also take time to have the PR

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Frederik, On Mon, Aug 28, 2017 at 6:34 PM, Frederik Bosch | Genkgo wrote: > Hi Andrey, > > While I agree on your statement that back-porting is suboptimal, I do not > agree on the fact that I said that there was no time to wait. I submitted > the RFC, awaited the opinions, changed the document

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Andrey, While I agree on your statement that back-porting is suboptimal, I do not agree on the fact that I said that there was no time to wait. I submitted the RFC, awaited the opinions, changed the document according to the different viewpoints and I link to the other RFC from this RFC. I

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi, On Mon, Aug 28, 2017 at 6:04 PM, Sara Golemon wrote: > On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny wrote: >> Sounds good! Let's vote in getting it in first and then we can have a 2nd >> RFC (and vote) if it should land in 7.2 >> > Mmmm, not quite. IF you want to aim for 7.2, do it now in

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny wrote: > Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC > (and vote) if it should land in 7.2 > Mmmm, not quite. IF you want to aim for 7.2, do it now in the same vote. Back porting is sub-optimal and there's not a rus

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Sara, hi Frederik, Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2 cu, Lars Sent from my electronic toy > On 26. Aug 2017, at 17:34, Frederik Bosch wrote: > > Hi Sara, > > Thanks for clearing this. I have no intension to h

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Sara, Thanks for clearing this. I have no intension to have it merged in 7.2 so I updated the RFC to specifically mention it is for 7.3. If other people want to have it in 7.2, they can start a new RFC to make that happen. Best, Frederik On 26-08-17 01:10, Sara Golemon wrote: On Fri, A

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Le 26/08/2017 à 01:10, Sara Golemon a écrit : > In my opinion it's too late for 7.2 especially as it contains an ABI > break which at best will be annoying for the folks helping us test. > The primary vote should be about 7.3 and if this wants to land on 7.2 > there should be a separate vote for t

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On Fri, Aug 25, 2017 at 6:18 PM, Dan Ackroyd wrote: > On 25 August 2017 at 22:19, Frederik Bosch wrote: >> LS, >> >> Just now, I opened the RFC on implementing same site cookies in PHP, >> https://wiki.php.net/rfc/same-site-cookie, for voting. > > Please be explicit: > >> Proposed PHP Version(s)

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

Hi Dan, While I agree on your statement that it is late for 7.2, I believe the text is explicit enough. Since features for PHP 7.2 are frozen, according to the rules this should go for the version thereafter. However, if a release managers wants to pick up it and embed in 7.2, I am not going

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

On 25 August 2017 at 22:19, Frederik Bosch wrote: > LS, > > Just now, I opened the RFC on implementing same site cookies in PHP, > https://wiki.php.net/rfc/same-site-cookie, for voting. Please be explicit: > Proposed PHP Version(s) > next PHP 7.x It's really late in the day for 7.2. Although p

[PHP-DEV] [VOTE] Same Site Cookie RFC

LS, Just now, I opened the RFC on implementing same site cookies in PHP, https://wiki.php.net/rfc/same-site-cookie, for voting. It consists of two questions, depending on the implementation you would like to see of the feature. Both questions will affect the API of four core functions: setco