PHP :: Request #72230 :: Add SameSite Cookies to setcookie()

Add SameSite Cookies to setcookie()

Submitted:

2016-05-17 11:29 UTC

Modified:

2018-08-05 04:56 UTC

Votes:	174
Avg. Score:	4.9 ± 0.5
Reproduced:	137 of 144 (95.1%)
Same Version:	85 (62.0%)
Same OS:	76 (55.5%)

From:

love at sickpeople dot se

Assigned:

carusogabriel (profile)

Status:

Closed

Package:

*Network Functions

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 39 - 18 = ?
Subscribe to this entry?

[2016-05-17 11:29 UTC] love at sickpeople dot se

Description:
------------
Add a new parameter to setcookie()

 - Name: samesite

 - Default value: false

 - If true, sets the SameSite flag

In short, this helps security by protecting against CSRF, XSSI and others (see link below).

Update to RFC 6265: https://tools.ietf.org/html/draft-west-first-party-cookies-07

Implemented in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=459154

Patches

php-7.0.13-setcookie-samesite-attribute (last revision 2016-12-01 09:59 UTC by xistence at 0x90 dot nl)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-10-04 13:22 UTC] marcus at synchromedia dot co dot uk

`true` isn't a good option - it should accept only the defined values from the RFC (https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1), i.e. `Strict` or `Lax`.

[2016-11-03 16:05 UTC] love at sickpeople dot se

Bug for adding INI session.cookie_samesite: https://bugs.php.net/bug.php?id=73454

[2016-12-01 10:08 UTC] xistence at 0x90 dot nl

I've created a patch that adds support for the SameSite cookie attribute in the setcookie() function.

The samesite value can be set like this through setcookie(), note that the last function argument is the samesite value ("Lax" in this case):

<?php setcookie("TestCookie", 31337, time()+3600, "/", "thisdomain.com", 1, 1, "Lax" ); ?>

Retrieving the headers shows the SameSite=Lax cookie attribute being set:

$ curl -I http://X.X.X.X/index.php
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2016 10:06:55 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.0.13 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/7.0.13
Set-Cookie: TestCookie=31337; expires=Thu, 01-Dec-2016 11:06:55 GMT; Max-Age=3600; path=/; domain=thisdomain.com; secure; HttpOnly; SameSite=Lax
Content-Type: text/html; charset=UTF-8

This also adds the session.cookie_samesite INI setting as mentioned in bug ID #73454

As mentioned before, one should not set this to "true" to enable, but use one of the currently supported values of "Lax" or "Strict" as mentioned in the RFC.
These are the settings currently supported by Chrome and Opera (And probably soon in Firefox/Edge)

[2017-02-21 12:46 UTC] ale dot comp_06 at xox dot ch

what about using constants (Cookies::SAMESITE_LAX ?) instead of strings?

[2017-02-21 13:37 UTC] marcus at synchromedia dot co dot uk

I agree with that, constants a better idea than strings.

Good new article on using this cookie flag: https://scotthelme.co.uk/csrf-is-dead/

This should go into PHP ASAP, it's a vital security feature.

[2017-02-21 13:50 UTC] narf at devilix dot net

@xistence I noticed a small bug in the patch, here:

+	if (samesite) {
+		len += ZSTR_LEN(domain);
+	}

... should be ZSTR_LEN(samesite)

But either way, it would get more attention if you submit a PR through GitHub and start a discussion about it on the php-internals@ mailing list.

I'd like to see this happen ASAP, but I'm guessing the maintainers would opt to see what happens with https://tools.ietf.org/html/draft-west-first-party-cookies-07 first (and to be honest - that's reasonable).

[2017-09-14 17:49 UTC] cmb@php.net

Note that there is already a respective RFC (targetting PHP 7.3.0)
in voting phase: <https://wiki.php.net/rfc/same-site-cookie>.

[2018-02-28 22:02 UTC] cmb@php.net

-Package: Unknown/Other Function +Package: *Network Functions

[2018-03-11 23:47 UTC] cmb@php.net

-Status: Open +Status: Verified

[2018-03-11 23:47 UTC] cmb@php.net

The <https://wiki.php.net/rfc/same-site-cookie> RFC has been
accepted quite a while ago, but the implementation is still
missing.  A respective PR would be welcome!

[2018-08-05 04:56 UTC] carusogabriel@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: carusogabriel

[2018-08-05 04:56 UTC] carusogabriel@php.net

Closing as it was implemented via http://git.php.net/?p=php-src.git;a=commit;h=08b9310e and http://git.php.net/?p=php-src.git;a=commit;h=2b58ab23

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 13:00:01 2025 UTC