Welcome! Log In Create A New Profile

Advanced

[PHP-DEV] [VOTE] Same Site Cookie RFC

Posted by Frederik Bosch 
Frederik Bosch
[PHP-DEV] [VOTE] Same Site Cookie RFC
August 25, 2017 11:30PM
LS,

Just now, I opened the RFC on implementing same site cookies in PHP,
https://wiki.php.net/rfc/same-site-cookie, for voting.

It consists of two questions, depending on the implementation you would
like to see of the feature. Both questions will affect the API of four
core functions: setcookie, setrawcookie, session_set_cookie_params and
session_get_cookie_params. The first three functions have a similar
function signature. The first implementation suggestion is to add an
additional argument to these three functions. The second implementation
suggestion is to allow an array of options in which all the cookie
options will be moved into. More details are to be found in the RFC.

Hopefully, the samesite cookie flag will become a feature of the PHP
language through this RFC!

Kind regards,
Frederik Bosch

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Dan Ackroyd
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 26, 2017 12:20AM
On 25 August 2017 at 22:19, Frederik Bosch <[email protected]> wrote:
> LS,
>
> Just now, I opened the RFC on implementing same site cookies in PHP,
> https://wiki.php.net/rfc/same-site-cookie, for voting.

Please be explicit:

> Proposed PHP Version(s)
> next PHP 7.x


It's really late in the day for 7.2. Although people might still vote
for it, the RFC needs to be explicit about which version it is for.


cheers
Dan

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Frederik Bosch
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 26, 2017 12:30AM
Hi Dan,

While I agree on your statement that it is late for 7.2, I believe the
text is explicit enough. Since features for PHP 7.2 are frozen,
according to the rules this should go for the version thereafter.
However, if a release managers wants to pick up it and embed in 7.2, I
am not going to protest. Things considered, I see no reason to change
the sentence.

Best,
Frederik



On 26-08-17 00:18, Dan Ackroyd wrote:
> On 25 August 2017 at 22:19, Frederik Bosch <[email protected]> wrote:
>> LS,
>>
>> Just now, I opened the RFC on implementing same site cookies in PHP,
>> https://wiki.php.net/rfc/same-site-cookie, for voting.
> Please be explicit:
>
>> Proposed PHP Version(s)
>> next PHP 7.x
>
> It's really late in the day for 7.2. Although people might still vote
> for it, the RFC needs to be explicit about which version it is for.
>
>
> cheers
> Dan


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Sara Golemon
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 26, 2017 01:20AM
On Fri, Aug 25, 2017 at 6:18 PM, Dan Ackroyd <[email protected]> wrote:
> On 25 August 2017 at 22:19, Frederik Bosch <[email protected]> wrote:
>> LS,
>>
>> Just now, I opened the RFC on implementing same site cookies in PHP,
>> https://wiki.php.net/rfc/same-site-cookie, for voting.
>
> Please be explicit:
>
>> Proposed PHP Version(s)
>> next PHP 7.x
>
>
> It's really late in the day for 7.2. Although people might still vote
> for it, the RFC needs to be explicit about which version it is for.
>
>
In my opinion it's too late for 7.2 especially as it contains an ABI
break which at best will be annoying for the folks helping us test.
The primary vote should be about 7.3 and if this wants to land on 7.2
there should be a separate vote for that.

-Sara

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Remi Collet
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 26, 2017 08:30AM
Le 26/08/2017 à 01:10, Sara Golemon a écrit :

> In my opinion it's too late for 7.2 especially as it contains an ABI
> break which at best will be annoying for the folks helping us test.
> The primary vote should be about 7.3 and if this wants to land on 7.2
> there should be a separate vote for that.

+1


BTW, choice 1 seems awfull but preserve BC

Perhaps choice 2 could be implemented in a BC way, allowing both proto

Ex for session_set_cookie_params

Parse arg 2 as an optional zval

if arg2 is an array
if argc > 2 error
else new proto, array of options
else old proto


Remi.
Frederik Bosch
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 26, 2017 05:40PM
Hi Sara,

Thanks for clearing this. I have no intension to have it merged in 7.2
so I updated the RFC to specifically mention it is for 7.3. If other
people want to have it in 7.2, they can start a new RFC to make that happen.

Best,
Frederik



On 26-08-17 01:10, Sara Golemon wrote:
> On Fri, Aug 25, 2017 at 6:18 PM, Dan Ackroyd <[email protected]> wrote:
>> On 25 August 2017 at 22:19, Frederik Bosch <[email protected]> wrote:
>>> LS,
>>>
>>> Just now, I opened the RFC on implementing same site cookies in PHP,
>>> https://wiki.php.net/rfc/same-site-cookie, for voting.
>> Please be explicit:
>>
>>> Proposed PHP Version(s)
>>> next PHP 7.x
>>
>> It's really late in the day for 7.2. Although people might still vote
>> for it, the RFC needs to be explicit about which version it is for.
>>
>>
> In my opinion it's too late for 7.2 especially as it contains an ABI
> break which at best will be annoying for the folks helping us test.
> The primary vote should be about 7.3 and if this wants to land on 7.2
> there should be a separate vote for that.
>
> -Sara


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Lars Strojny
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 27, 2017 12:00PM
Hi Sara, hi Frederik,

Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2

cu,
Lars

Sent from my electronic toy

> On 26. Aug 2017, at 17:34, Frederik Bosch <[email protected]> wrote:
>
> Hi Sara,
>
> Thanks for clearing this. I have no intension to have it merged in 7.2 so I updated the RFC to specifically mention it is for 7.3. If other people want to have it in 7.2, they can start a new RFC to make that happen.
>
> Best,
> Frederik
>
>
>
>> On 26-08-17 01:10, Sara Golemon wrote:
>>> On Fri, Aug 25, 2017 at 6:18 PM, Dan Ackroyd <[email protected]> wrote:
>>>> On 25 August 2017 at 22:19, Frederik Bosch <[email protected]> wrote:
>>>> LS,
>>>>
>>>> Just now, I opened the RFC on implementing same site cookies in PHP,
>>>> https://wiki.php.net/rfc/same-site-cookie, for voting.
>>> Please be explicit:
>>>
>>>> Proposed PHP Version(s)
>>>> next PHP 7.x
>>>
>>> It's really late in the day for 7.2. Although people might still vote
>>> for it, the RFC needs to be explicit about which version it is for.
>>>
>>>
>> In my opinion it's too late for 7.2 especially as it contains an ABI
>> break which at best will be annoying for the folks helping us test.
>> The primary vote should be about 7.3 and if this wants to land on 7.2
>> there should be a separate vote for that.
>>
>> -Sara
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Andrea Faulds
[PHP-DEV] Re: [VOTE] Same Site Cookie RFC
August 28, 2017 11:30AM
Hi,

Frederik Bosch wrote:
> LS,
>
> Just now, I opened the RFC on implementing same site cookies in PHP,
> https://wiki.php.net/rfc/same-site-cookie, for voting.


Correct me if I'm wrong, but wasn't the RFC only put to internals a week
ago? That's not a long enough discussion period before opening voting,
https://wiki.php.net/rfc/howto says it should be at least 2 weeks.

Regards.
--
Andrea Faulds
https://ajf.me/

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Theodore Brown
Re: [PHP-DEV] Re: [VOTE] Same Site Cookie RFC
August 28, 2017 05:10PM
On Monday, August 28, 2017 4:24 AM Andrea Faulds wrote:

> Correct me if I'm wrong, but wasn't the RFC only put to internals a week
> ago? That's not a long enough discussion period before opening voting,
> https://wiki.php.net/rfc/howto says it should be at least 2 weeks.

The current RFC was put to internals on July 24, over a month ago
(in the "[RFC] samesite cookie implementation" thread).

Theodore Brown
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Sara Golemon
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 05:10PM
On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny <[email protected]> wrote:
> Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2
>
Mmmm, not quite. IF you want to aim for 7.2, do it now in the same
vote. Back porting is sub-optimal and there's not a rush to land it
on 7.3. The time sensitive part is 7.2.

FTR, I'll be voting "No" on a 7.2, and I've already submitted my yes
vote for 7.3 (options array variant).

-Sara

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Andrey Andreev
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 05:30PM
Hi,

On Mon, Aug 28, 2017 at 6:04 PM, Sara Golemon <[email protected]> wrote:
> On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny <[email protected]> wrote:
>> Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2
>>
> Mmmm, not quite. IF you want to aim for 7.2, do it now in the same
> vote. Back porting is sub-optimal and there's not a rush to land it
> on 7.3. The time sensitive part is 7.2.
>

I second this.

In fact, there was a competing idea/RFC when the discussion started,
but the author of this one insisted that there's no time to wait for
that. To me, it doesn't make sense to rush this (compared to
alternative ideas) if it doesn't get into 7.2.

Cheers,
Andrey.

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Frederik Bosch | Genkgo
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 05:40PM
Hi Andrey,

While I agree on your statement that back-porting is suboptimal, I do
not agree on the fact that I said that there was no time to wait. I
submitted the RFC, awaited the opinions, changed the document according
to the different viewpoints and I link to the other RFC from this RFC. I
do not want to 'push' this through. I think we know the opinions, so it
is time to vote. If both suggestions from this RFC don't make, then
people can go for other solutions.

Best,
Frederik



On 28-08-17 17:23, Andrey Andreev wrote:
> Hi,
>
> On Mon, Aug 28, 2017 at 6:04 PM, Sara Golemon <[email protected]> wrote:
>> On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny <[email protected]> wrote:
>>> Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2
>>>
>> Mmmm, not quite. IF you want to aim for 7.2, do it now in the same
>> vote. Back porting is sub-optimal and there's not a rush to land it
>> on 7.3. The time sensitive part is 7.2.
>>
> I second this.
>
> In fact, there was a competing idea/RFC when the discussion started,
> but the author of this one insisted that there's no time to wait for
> that. To me, it doesn't make sense to rush this (compared to
> alternative ideas) if it doesn't get into 7.2.
>
> Cheers,
> Andrey.


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Andrey Andreev
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 06:00PM
Hi Frederik,

On Mon, Aug 28, 2017 at 6:34 PM, Frederik Bosch | Genkgo
<[email protected]> wrote:
> Hi Andrey,
>
> While I agree on your statement that back-porting is suboptimal, I do not
> agree on the fact that I said that there was no time to wait. I submitted
> the RFC, awaited the opinions, changed the document according to the
> different viewpoints and I link to the other RFC from this RFC. I do not
> want to 'push' this through. I think we know the opinions, so it is time to
> vote. If both suggestions from this RFC don't make, then people can go for
> other solutions.
>

You did wait for, and adjust according to suggestions, I'm not questioning that.

I was referring to this message: https://externals.io/message/99884#99893

If you want this to land in 7.2 (i.e. not "take a while before we see
samesite cookie implemented"), then there really is no time to wait.
I'm not being negative here ... I'm using this as an argument to make
the vote for 7.2 now.
Otherwise, we have an entire year to polish all the details in time for 7.3.

Cheers,
Andrey.

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Frederik Bosch | Genkgo
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 06:20PM
Hi Andrey,

Little misunderstanding then. I agree we can better have this PHP 7.3
and take some time for it. Current votes also suggest that we should go
for the array argument implementation. Since there is only a PR for the
extra argument implementation, it will also take time to have the PR for
the array argument implementation ready. Taken that into account, we
should not want this in 7.2.

Best,
Frederik



On 28-08-17 17:58, Andrey Andreev wrote:
> Hi Frederik,
>
> On Mon, Aug 28, 2017 at 6:34 PM, Frederik Bosch | Genkgo
> <[email protected]> wrote:
>> Hi Andrey,
>>
>> While I agree on your statement that back-porting is suboptimal, I do not
>> agree on the fact that I said that there was no time to wait. I submitted
>> the RFC, awaited the opinions, changed the document according to the
>> different viewpoints and I link to the other RFC from this RFC. I do not
>> want to 'push' this through. I think we know the opinions, so it is time to
>> vote. If both suggestions from this RFC don't make, then people can go for
>> other solutions.
>>
> You did wait for, and adjust according to suggestions, I'm not questioning that.
>
> I was referring to this message: https://externals.io/message/99884#99893
>
> If you want this to land in 7.2 (i.e. not "take a while before we see
> samesite cookie implemented"), then there really is no time to wait.
> I'm not being negative here ... I'm using this as an argument to make
> the vote for 7.2 now.
> Otherwise, we have an entire year to polish all the details in time for 7.3.
>
> Cheers,
> Andrey.

--


Frederik Bosch


Partner

Genkgo logo
Mail: f.bosch@genkgo.nl <mailto:[email protected]>
Web: support.genkgo.com https://support.genkgo.com

Entrada 123
Amsterdam
+31 208 943 931

Genkgo B.V. staat geregistreerd bij de Kamer van Koophandel onder nummer
56501153
Sara Golemon
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 06:30PM
On Mon, Aug 28, 2017 at 12:10 PM, Frederik Bosch | Genkgo <[email protected]
> wrote:

> Little misunderstanding then. I agree we can better have this PHP 7.3 and
> take some time for it. Current votes also suggest that we should go for the
> array argument implementation. Since there is only a PR for the extra
> argument implementation, it will also take time to have the PR for the
> array argument implementation ready. Taken that into account, we should not
> want this in 7.2.
>
Indeed, yes. Assuming the votes continue on this sharp lean towards the
array option, we should just forget all notions of trying to sneak this
into 7.2.

Direct calls in 7.2 and earlier can easily fall back on calling
header('Set-Cookie: ...'); manually, while sessions support is slightly
more complex, but still doable from userspace. I expect if need is deemed
high for this, a drop-in composer package can do 90% of the work
automatically.

-Sara
Stanislav Malyshev
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 09:10PM
Hi!

> additional argument to these three functions. The second implementation
> suggestion is to allow an array of options in which all the cookie
> options will be moved into. More details are to be found in the RFC.

Something not clear to me on the second one - why lifetime/expiration is
a separate parameter while all others are part of $options?

--
Stas Malyshev
smalyshev@gmail.com

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Frederik Bosch
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 10:00PM
Hi Stanislav,

My reasoning for this is as follows.

1. The session_set_cookie_params function requires a lifetime parameter
at the moment.

2. To enforce that lifetime stays required I did not want to make it
required within the optional array. That would make that optional array
not optional anymore, and even have a required key. I don't think that
is a good idea.

3. To prevent that the array of options is different between the three
functions (session_set_cookie_params, setcookie, setrawcookie), I chose
to exclude lifetime from the array of options and include it in the list
of arguments.

Hence, I chose a consistent and logical API over the three functions
together rather than having logical ones per function. Hope it makes sense.

Best,
Frederik




On 28-08-17 21:06, Stanislav Malyshev wrote:
> Hi!
>
>> additional argument to these three functions. The second implementation
>> suggestion is to allow an array of options in which all the cookie
>> options will be moved into. More details are to be found in the RFC.
> Something not clear to me on the second one - why lifetime/expiration is
> a separate parameter while all others are part of $options?
>
Lars Strojny
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
August 28, 2017 11:20PM
Hi Sara, hi Frederik,



Thinking more about this I came to change my vote (and for that reason I’ll take back the suggestion to include it into 7.2):


The array API is the better API and allows for healthier future growth so we should pursue that option
There is a (very ugly) workaround to set a same site policy by misusing the “session.cookie_path” or “session.cookie_domain” setting (e.g. set it to “/; SameSite=Strict”, you are welcome, Internet).


cu,

Lars





On 28.08.17, 18:20, "Sara Golemon" <[email protected] on behalf of [email protected]> wrote:



On Mon, Aug 28, 2017 at 12:10 PM, Frederik Bosch | Genkgo <[email protected]> wrote:

Little misunderstanding then. I agree we can better have this PHP 7.3 and take some time for it. Current votes also suggest that we should go for the array argument implementation. Since there is only a PR for the extra argument implementation, it will also take time to have the PR for the array argument implementation ready. Taken that into account, we should not want this in 7.2.

Indeed, yes. Assuming the votes continue on this sharp lean towards the array option, we should just forget all notions of trying to sneak this into 7.2.



Direct calls in 7.2 and earlier can easily fall back on calling header('Set-Cookie: ...'); manually, while sessions support is slightly more complex, but still doable from userspace. I expect if need is deemed high for this, a drop-in composer package can do 90% of the work automatically.

-Sara
Andrea Faulds
Re: [PHP-DEV] Re: [VOTE] Same Site Cookie RFC
August 29, 2017 01:40PM
Hi Theodore,

Theodore Brown wrote:
> On Monday, August 28, 2017 4:24 AM Andrea Faulds wrote:
>
>> Correct me if I'm wrong, but wasn't the RFC only put to internals a week
>> ago? That's not a long enough discussion period before opening voting,
>> https://wiki.php.net/rfc/howto says it should be at least 2 weeks.
>
> The current RFC was put to internals on July 24, over a month ago
> (in the "[RFC] samesite cookie implementation" thread).

Ah, you're right of course, my apologies to everyone. I was quite tired
yesterday and I think I misread “2017-07-17” as “2017-08-17”.

--
Andrea Faulds
https://ajf.me/

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Niklas Keller
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
October 08, 2017 09:50AM
There are no voting dates in the RFC, but it's open for over a month now.

I guess it can be closed.

Regards, Niklas

2017-08-25 23:19 GMT+02:00 Frederik Bosch <[email protected]>:

> LS,
>
> Just now, I opened the RFC on implementing same site cookies in PHP,
> https://wiki.php.net/rfc/same-site-cookie, for voting.
>
> It consists of two questions, depending on the implementation you would
> like to see of the feature. Both questions will affect the API of four core
> functions: setcookie, setrawcookie, session_set_cookie_params and
> session_get_cookie_params. The first three functions have a similar
> function signature. The first implementation suggestion is to add an
> additional argument to these three functions. The second implementation
> suggestion is to allow an array of options in which all the cookie options
> will be moved into. More details are to be found in the RFC.
>
> Hopefully, the samesite cookie flag will become a feature of the PHP
> language through this RFC!
>
> Kind regards,
> Frederik Bosch
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Frederik Bosch
Re: [PHP-DEV] [VOTE] Same Site Cookie RFC
October 10, 2017 08:10AM
Hi Niklas,

Sorry for the delay. I have my mind on totally different things these
days. Closed the voting and moved it to accepted. Thanks everyone for
voting! Now, let's implement this RFC!

Best regards,
Frederik



On 08-10-17 09:46, Niklas Keller wrote:
> There are no voting dates in the RFC, but it's open for over a month now.
>
> I guess it can be closed.
>
> Regards, Niklas
>
> 2017-08-25 23:19 GMT+02:00 Frederik Bosch <[email protected]
> <mailto:[email protected]>>:
>
> LS,
>
> Just now, I opened the RFC on implementing same site cookies in
> PHP, https://wiki.php.net/rfc/same-site-cookie
> https://wiki.php.net/rfc/same-site-cookie, for voting.
>
> It consists of two questions, depending on the implementation you
> would like to see of the feature. Both questions will affect the
> API of four core functions: setcookie, setrawcookie,
> session_set_cookie_params and session_get_cookie_params. The first
> three functions have a similar function signature. The first
> implementation suggestion is to add an additional argument to
> these three functions. The second implementation suggestion is to
> allow an array of options in which all the cookie options will be
> moved into. More details are to be found in the RFC.
>
> Hopefully, the samesite cookie flag will become a feature of the
> PHP language through this RFC!
>
> Kind regards,
> Frederik Bosch
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Sorry, only registered users may post in this forum.

Click here to login