php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72230 Add SameSite Cookies to setcookie()
Submitted: 2016-05-17 11:29 UTC Modified: -
Votes:130
Avg. Score:4.8 ± 0.5
Reproduced:97 of 103 (94.2%)
Same Version:61 (62.9%)
Same OS:58 (59.8%)
From: love at sickpeople dot se Assigned:
Status: Open Package: Unknown/Other Function
PHP Version: Irrelevant OS:
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-05-17 11:29 UTC] love at sickpeople dot se
Description:
------------
Add a new parameter to setcookie()

 - Name: samesite

 - Default value: false

 - If true, sets the SameSite flag

In short, this helps security by protecting against CSRF, XSSI and others (see link below).

Update to RFC 6265: https://tools.ietf.org/html/draft-west-first-party-cookies-07

Implemented in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=459154



Patches

php-7.0.13-setcookie-samesite-attribute (last revision 2016-12-01 09:59 UTC) by xistence at 0x90 dot nl)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-04 13:22 UTC] marcus at synchromedia dot co dot uk
`true` isn't a good option - it should accept only the defined values from the RFC (https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1), i.e. `Strict` or `Lax`.
 [2016-11-03 16:05 UTC] love at sickpeople dot se
Bug for adding INI session.cookie_samesite: https://bugs.php.net/bug.php?id=73454
 [2016-12-01 10:08 UTC] xistence at 0x90 dot nl
I've created a patch that adds support for the SameSite cookie attribute in the setcookie() function.

The samesite value can be set like this through setcookie(), note that the last function argument is the samesite value ("Lax" in this case):

<?php setcookie("TestCookie", 31337, time()+3600, "/", "thisdomain.com", 1, 1, "Lax" ); ?>

Retrieving the headers shows the SameSite=Lax cookie attribute being set:

$ curl -I http://X.X.X.X/index.php
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2016 10:06:55 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.0.13 OpenSSL/1.0.1e-fips
X-Powered-By: PHP/7.0.13
Set-Cookie: TestCookie=31337; expires=Thu, 01-Dec-2016 11:06:55 GMT; Max-Age=3600; path=/; domain=thisdomain.com; secure; HttpOnly; SameSite=Lax
Content-Type: text/html; charset=UTF-8

This also adds the session.cookie_samesite INI setting as mentioned in bug ID #73454

As mentioned before, one should not set this to "true" to enable, but use one of the currently supported values of "Lax" or "Strict" as mentioned in the RFC.
These are the settings currently supported by Chrome and Opera (And probably soon in Firefox/Edge)
 [2017-02-21 12:46 UTC] ale dot comp_06 at xox dot ch
what about using constants (Cookies::SAMESITE_LAX ?) instead of strings?
 [2017-02-21 13:37 UTC] marcus at synchromedia dot co dot uk
I agree with that, constants a better idea than strings.

Good new article on using this cookie flag: https://scotthelme.co.uk/csrf-is-dead/

This should go into PHP ASAP, it's a vital security feature.
 [2017-02-21 13:50 UTC] narf at devilix dot net
@xistence I noticed a small bug in the patch, here:

+	if (samesite) {
+		len += ZSTR_LEN(domain);
+	}

... should be ZSTR_LEN(samesite)

But either way, it would get more attention if you submit a PR through GitHub and start a discussion about it on the php-internals@ mailing list.

I'd like to see this happen ASAP, but I'm guessing the maintainers would opt to see what happens with https://tools.ietf.org/html/draft-west-first-party-cookies-07 first (and to be honest - that's reasonable).
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Jun 26 20:01:38 2017 UTC