Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds support for the SameSite attribute in cookies. #19104

Closed
wants to merge 7 commits into from
Closed

Adds support for the SameSite attribute in cookies. #19104

wants to merge 7 commits into from

Conversation

iangcarroll
Copy link
Contributor

Q A
Branch? master
Bug fix? no
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets N/A
License MIT
Doc PR N/A

$sameSite can be set to false, "lax", or "strict".

You can read about what the different modes do here: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

@iangcarroll
Adds support for the SameSite attribute in cookies.
a5ab3ba 
$sameSite can be set to false, "lax", or "strict".

You can read about what the different modes do here: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
linaori
linaori reviewed Jun 18, 2016
View reviewed changes
src/Symfony/Component/HttpFoundation/Cookie.php
@@ -38,10 +39,11 @@ class Cookie
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
* @param bool $raw Whether the cookie value should be sent with no url encoding
* @param bool|string $sameSite Whether the cookie will be available for cross-site requests
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't $crossSite be more descriptive?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's good practice to adhere to the spec name, i.e. samesite => setSameSite.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

string|null would be better than string|bool IMO (especially given that true is not a valid value for this argument)

xabbuh
xabbuh reviewed Jun 21, 2016
View reviewed changes
src/Symfony/Component/HttpFoundation/Cookie.php
@@ -26,6 +26,7 @@ class Cookie
protected $secure;
protected $httpOnly;
private $raw;
protected $sameSite;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be private

nicolas-grekas
nicolas-grekas reviewed Jun 22, 2016
View reviewed changes
src/Symfony/Component/HttpFoundation/Cookie.php
@@ -38,10 +39,11 @@ class Cookie
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
* @param bool $raw Whether the cookie value should be sent with no url encoding
* @param bool|null $sameSite Whether the cookie will be available for cross-site requests
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

string|null

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops.

fabpot
fabpot reviewed Jun 23, 2016
View reviewed changes
src/Symfony/Component/HttpFoundation/Cookie.php
@@ -71,6 +76,12 @@ public function __construct($name, $value = null, $expire = 0, $path = '/', $dom
$this->secure = (bool) $secure;
$this->httpOnly = (bool) $httpOnly;
$this->raw = (bool) $raw;

if (!in_array($sameSite, array(self::SAMESITE_LAX, self::SAMESITE_STRICT, null))) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should pass true as a third argument

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see 4223997

@fabpot
Copy link
Member

fabpot commented Jun 23, 2016

Thank you @iangcarroll.

@fabpot fabpot closed this in b84aded Jun 23, 2016
@iangcarroll iangcarroll mentioned this pull request Oct 12, 2016
Closed
@fabpot fabpot mentioned this pull request Oct 27, 2016
Merged
@javiereguiluz javiereguiluz mentioned this pull request Nov 25, 2016
Closed
@joergludwig
Copy link

I just spent two hours, trying to make use of the SameSite flag. What I did not know was, that Cookie allows setting of the flag, but Response::sendHeaders() does not handle it. Maybe Response should throw an Exception, that PHP does not yet support sending of the SameSite flag?

@xabbuh
Copy link
Member

xabbuh commented Jun 19, 2017

Please open a new issue if you think that something is not working as expected.

@ThomHurks ThomHurks mentioned this pull request Dec 5, 2017
Closed
@ThomHurks
Copy link

Indeed, this "feature" is very misleading as the SameSite attribute is never even passed to setcookie(), so this doesn't do anything. Reported in #25344
My suggestion is to revert this PR, since it doesn't do anything and is just misleading now. It can be re-added when PHP 7.3 is released which may implement SameSite according to RFC https://wiki.php.net/rfc/same-site-cookie

@joergludwig
Copy link

Btw: A simple workaround is to add the following line to your apache config:
Header edit Set-Cookie $ "; samesite=lax"

@javiereguiluz javiereguiluz mentioned this pull request May 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Feature HttpFoundation Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet