@krakjoe this looks more like a enhancement/feature then a bugfix to me.

@staabm It definitely is. Would it require a RFC?

Okay, I read the patch ...

I think it would be best to get the RFC process started, if a clear consensus emerges from the discussion alone, then the voting may not be necessary. But we should at least attempt to have the discussion, and the best way to inform the discussion is a well written RFC ...

I squashed the commits, since the lights should be green by now.
@krakjoe I will write the RFC.

This gets a big 👍 from me, although I can't vote on RFCs. :)

This sounds like a good idea, but probably we should wait for the proposal to be formally accepted before bringing it into the language?

@pmmaga I received RFC access yesterday. I will prioritize the writing of the document. Hope to finish this or next week.

@frederikbosch sorry, I was unclear, I meant the actual document that proposes the standard: http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-same-site.html

@pmmaga I will include that opinion in the cons of the RFC. If we implement before it is an actual standard, there is a risk we might end-up with an API that becomes useless in the future.

Link to the RFC: https://wiki.php.net/rfc/same-site-cookie. Still in draft, will finish in upcoming days and send to mailing list.

Pull request for http_cookie_set is available at #2643. I wait for access to create a RFC for that. This function allows you to add your own option and add the required code in the source for:

http_cookie_set('foo', 'bar', [
    'SameSite' => 'Strict'
]); 

RFC linked to this PR is updated. It now contains two possible solutions.

1. As in this PR: additional argument to setcookie, setrawcookie and session_set_cookie_params
2. Allow an array of options for setcookie, setrawcookie and session_set_cookie_params

When both solutions will be rejected, the floor will be completely open for the proposal of http_cookie_set/remove by @blar since we then investigated all the possible solutions to the current set of functions.

Voting will be opened at August 1st.
RFC: https://wiki.php.net/rfc/same-site-cookie

What's the status here? I just set the RFC's status to Accepted instead of Voting.

@kelunik I planned to write an update to the PR this month.

Regarding spectre attack and suggested mitigations should this be considered as a critical security fix?

@halaei I was not aware that same-site cookie was suggested as spectre fix. If the language would decide this should be considered a critical fix for spectre, then I would be willing to devote time to it really soon. If not, I will take time necessary to make sure it is there (as currently planned) when PHP 7.3 will be released.

@frederikbosch I don't know how serious this is. I also asked the same question in an open PR for symfony/symfony to use header() function instead of setcookie() and setrawcookie().

What is the current status for implementing samesite flag support?

Still being worked on.

Can someone help me compiling/building PHP SRC? I keep getting the same errors. I am using the following Dockerfile. It is based on the official Docker for PHP7.2 CLI with Alpine 7.3.

I keep getting the following error, no matter what I try.

Error relocating /usr/src/php/sapi/cli/php: unsupported relocation type 37
Error relocating /usr/src/php/sapi/cli/php: unsupported relocation type 37
Error relocating /usr/src/php/sapi/cli/php: unsupported relocation type 37
Error relocating /usr/src/php/sapi/cli/php: unsupported relocation type 37

I have no idea where to start.

Can we get an update on the status here please ?

@krakjoe I am not getting tests working as I indicated earlier. I would love to work on this, especially now PHP 7.3 is coming closer, but I need some help with running tests.

Is there some container that can be used to get tests running? I don't care if it Alpine, Stretch, Ubuntu etc.

There is also a bug report for this by @petk. See https://bugs.php.net/bug.php?id=76392.

With PHP < 7.3 some people use a hack to add the samesite option (path="xxx; samesite=..."), but this doesn't work anymore in 7.3 ad the values are filtered. So we really need this to be implemented.

@frederikbosch Wrt. the Alpine build errors, try with PR #3349.

PR #3349 is merged now, so hopefully you should no longer be seeing issues with musl-based docker images.

I think we are getting to a point where the number of parameters for setcookie() is getting massive, perhaps we could add something an array of options or similar, as it is already fairlying annoying to pass a long list of arguments to this function.

@KalleZ That's exactly what has been accepted as part of RFC https://wiki.php.net/rfc/same-site-cookie :)

@nikic ah thanks for the link! I must have missed that part, so its great.

If @frederikbosch doesn't have time it would be great if someone else picks this up, due to the issue that @remicollet mentioned. (I don't have time myself.)

I think @nikic is right. I am really disappointed that I still haven't found time to implement it. But at the moment I simply cannot find the time to spend days on it. For me that is what it takes, because my experience with C is very limited.

My original PR was based on a patch made by someone else (acknowledged in the RFC) and that was done in limited time. Now that the outcome of the RFC is that the methods should accept both array and multiple arguments, I will have to do some research first to find out how to do it. This will take me a lot of time, which I don't have at the moment. I am really sorry. I hope someone is able to do it. If not, I am still hoping to find time to do it before feature freeze of PHP 7.3.

Closing this PR in favor of #3398, which implements the new format using arrays. There is still some uncertainty around implementation details, ref https://externals.io/message/100304#102909 and following.