[HttpFoundation] Support samesite cookies in response #26478
Conversation
|
They might kill your hack in the next php version |
Note that the PR targets PHP-7.1, since it is supposed to fix a bug. |
|
Maybe you could use or take some inspiration from https://github.com/delight-im/PHP-Cookie |
|
The hack might be acceptable if it is tested. |
|
@nicolas-grekas the best idea I could come up with for a test is an integration test that starts the built-in PHP server and verifies that the header is as expected. |
| @@ -338,10 +338,11 @@ public function sendHeaders() | |||
|
|
|||
| // cookies | |||
| foreach ($this->headers->getCookies() as $cookie) { | |||
| $path = $cookie->getPath().(null !== $cookie->getSameSite() ? ('; samesite='.$cookie->getSameSite()) : ''); | |||
There was a problem hiding this comment.
I understand that this is a hack needed because of the lack of support of samesite in PHP cookie functions. However, wouldn't it be better to hack this into $cookie->getDomain() instead of $cookie->getPath() ?
There was a problem hiding this comment.
@javiereguiluz the issue is, domain can be null while path will always be something
There was a problem hiding this comment.
OK then 👍 ... but @nicolas-grekas proposal may be a better way to solve this? What do you think?
|
Actually here is another approach I worked on, the discussion might still be relevant: #25348 |
This hack adds support for samesite cookies in
Response::sendHeaders(). One can misuse the path parameter to set the samesite attribute nevertheless.