[RFC] partitioned option for setcookie/setrawcookie and sessions #12652
Conversation
|
Partitioned cookies are marked as experimental by Mozilla (https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies). Theoretically this means they are subject to change. It seems they're mostly pushed by Google. I'm also unsure about the premise of the original issue:
I haven't tested this, but I think what this means is that Maybe this warrants a short e-mail to the ML? I'm not a specialist in regards to cookies. Maybe other people have something to add. |
|
@nielsdos I am attempting to implement CHIPS for my app with an ugly workaround manually setting the cookie header so this PR would be very helpful but I think it should also include changes to the session cookie to truly allow developers to fix the problem. session_set_cookie_params(['partitioned' => true]) My use case is the most basic wherin my app (tool) is displayed in an iframe within a learning management system (LMS) and requires a session cookie for further interaction after the inital LTI launch. |
AFAIK, Mozilla and Safari have experimented with similar ideas, but right now only Chrome supports the
That's it indeed! Chrome just started an experiment, now active for 1% of users, in which it will block third-party cookies that lack the If this experiment results in a launch down the road, I think plenty of developers will want to use |
Yeah, I fear that the scope of this must be increased, and ini settings are probably necessary too. |
|
I think we should probably have RFC for this as the agreement is not clear (Derick raised some concerns on internals) so I don't think we can just merge this. |
e609e44 to
744fd4c
Compare
|
LGTM |
ext/session/session.c
Outdated
| @@ -898,6 +898,7 @@ PHP_INI_BEGIN() | |||
| STD_PHP_INI_ENTRY("session.cookie_path", "/", PHP_INI_ALL, OnUpdateSessionStr, cookie_path, php_ps_globals, ps_globals) | |||
| STD_PHP_INI_ENTRY("session.cookie_domain", "", PHP_INI_ALL, OnUpdateSessionStr, cookie_domain, php_ps_globals, ps_globals) | |||
| STD_PHP_INI_BOOLEAN("session.cookie_secure", "0", PHP_INI_ALL, OnUpdateSessionBool, cookie_secure, php_ps_globals, ps_globals) | |||
| STD_PHP_INI_BOOLEAN("session.cookie_partitioned","0", PHP_INI_ALL, OnUpdateSessionBool, cookie_partitioned, php_ps_globals, ps_globals) | |||
There was a problem hiding this comment.
It already looks misaligned, so let's have the space after comma:
| STD_PHP_INI_BOOLEAN("session.cookie_partitioned","0", PHP_INI_ALL, OnUpdateSessionBool, cookie_partitioned, php_ps_globals, ps_globals) | |
| STD_PHP_INI_BOOLEAN("session.cookie_partitioned", "0", PHP_INI_ALL, OnUpdateSessionBool, cookie_partitioned, php_ps_globals, ps_globals) |
There was a problem hiding this comment.
I'll just add a commit to reformat this table. But a separate commit for history reasons...
| @@ -1725,6 +1736,7 @@ PHP_FUNCTION(session_set_cookie_params) | |||
| zend_string *lifetime = NULL, *path = NULL, *domain = NULL, *samesite = NULL; | |||
| bool secure = 0, secure_null = 1; | |||
| bool httponly = 0, httponly_null = 1; | |||
| bool partitioned = false, partitioned_null = true; | |||
There was a problem hiding this comment.
Using false/true here is inconsistent with the rest and also with the reassignment in line 1809. This should be unified one way or another.
Independent of this, this should probably be fixed once and for all with a tree-wide Coccinelle run. Something like:
@@
bool b;
@@
- b = 1
+ b = true
@@
bool b;
@@
- b = 0
+ b = false
There was a problem hiding this comment.
I'll fix this for ext/session post-merge as a follow up
There was a problem hiding this comment.
I'll fix this for ext/session post-merge as a follow up
Would do this tree-wide (possibly with per-extension commits) to not fix this piecemeal. See also: #19418 (comment)
A good opportunity might be right when branching PHP 8.5.
|
Vote seems exceedingly likely to pass and the implementation is good except for minor nits, thus already requesting RM review as per https://externals.io/message/128453. |
|
Vote was accepted |
832ea24 to
9d42a82
Compare
RFC: https://wiki.php.net/rfc/chips