|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72230 Add SameSite Cookies to setcookie()
Submitted: 2016-05-17 11:29 UTC Modified: 2018-08-05 04:56 UTC
Avg. Score:4.9 ± 0.5
Reproduced:137 of 144 (95.1%)
Same Version:85 (62.0%)
Same OS:76 (55.5%)
From: love at sickpeople dot se Assigned: carusogabriel (profile)
Status: Closed Package: *Network Functions
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2016-05-17 11:29 UTC] love at sickpeople dot se
Add a new parameter to setcookie()

 - Name: samesite

 - Default value: false

 - If true, sets the SameSite flag

In short, this helps security by protecting against CSRF, XSSI and others (see link below).

Update to RFC 6265:

Implemented in Chrome:


php-7.0.13-setcookie-samesite-attribute (last revision 2016-12-01 09:59 UTC by xistence at 0x90 dot nl)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-04 13:22 UTC] marcus at synchromedia dot co dot uk
`true` isn't a good option - it should accept only the defined values from the RFC (, i.e. `Strict` or `Lax`.
 [2016-11-03 16:05 UTC] love at sickpeople dot se
Bug for adding INI session.cookie_samesite:
 [2016-12-01 10:08 UTC] xistence at 0x90 dot nl
I've created a patch that adds support for the SameSite cookie attribute in the setcookie() function.

The samesite value can be set like this through setcookie(), note that the last function argument is the samesite value ("Lax" in this case):

<?php setcookie("TestCookie", 31337, time()+3600, "/", "", 1, 1, "Lax" ); ?>

Retrieving the headers shows the SameSite=Lax cookie attribute being set:

$ curl -I http://X.X.X.X/index.php
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2016 10:06:55 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.0.13 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/7.0.13
Set-Cookie: TestCookie=31337; expires=Thu, 01-Dec-2016 11:06:55 GMT; Max-Age=3600; path=/;; secure; HttpOnly; SameSite=Lax
Content-Type: text/html; charset=UTF-8

This also adds the session.cookie_samesite INI setting as mentioned in bug ID #73454

As mentioned before, one should not set this to "true" to enable, but use one of the currently supported values of "Lax" or "Strict" as mentioned in the RFC.
These are the settings currently supported by Chrome and Opera (And probably soon in Firefox/Edge)
 [2017-02-21 12:46 UTC] ale dot comp_06 at xox dot ch
what about using constants (Cookies::SAMESITE_LAX ?) instead of strings?
 [2017-02-21 13:37 UTC] marcus at synchromedia dot co dot uk
I agree with that, constants a better idea than strings.

Good new article on using this cookie flag:

This should go into PHP ASAP, it's a vital security feature.
 [2017-02-21 13:50 UTC] narf at devilix dot net
@xistence I noticed a small bug in the patch, here:

+	if (samesite) {
+		len += ZSTR_LEN(domain);
+	}

... should be ZSTR_LEN(samesite)

But either way, it would get more attention if you submit a PR through GitHub and start a discussion about it on the php-internals@ mailing list.

I'd like to see this happen ASAP, but I'm guessing the maintainers would opt to see what happens with first (and to be honest - that's reasonable).
 [2017-09-14 17:49 UTC]
Note that there is already a respective RFC (targetting PHP 7.3.0)
in voting phase: <>.
 [2018-02-28 22:02 UTC]
-Package: Unknown/Other Function +Package: *Network Functions
 [2018-03-11 23:47 UTC]
-Status: Open +Status: Verified
 [2018-03-11 23:47 UTC]
The <> RFC has been
accepted quite a while ago, but the implementation is still
missing.  A respective PR would be welcome!
 [2018-08-05 04:56 UTC]
-Status: Verified +Status: Closed -Assigned To: +Assigned To: carusogabriel
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Feb 29 21:01:30 2024 UTC