Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Adds support for the SameSite attribute in cookies.#19104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
iangcarroll wants to merge7 commits intosymfony:masterfromiangcarroll:patch-1

Conversation

@iangcarroll
Copy link
Contributor

QA
Branch?master
Bug fix?no
New feature?yes
BC breaks?no
Deprecations?no
Tests pass?yes
Fixed ticketsN/A
LicenseMIT
Doc PRN/A

$sameSite can be set to false, "lax", or "strict".

You can read about what the different modes do here:http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/

Seldaek and duplabe reacted with thumbs up emoji
$sameSite can be set to false, "lax", or "strict".You can read about what the different modes do here:http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
* @param bool $raw Whether the cookie value should be sent with no url encoding
* @param bool|string $sameSite Whether the cookie will be available for cross-site requests
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

wouldn't$crossSite be more descriptive?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It's good practice to adhere to the spec name, i.e.samesite =>setSameSite.

nicolas-grekas and dunglas reacted with thumbs up emoji
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

string|null would be better thanstring|bool IMO (especially given thattrue is not a valid value for this argument)

protected$secure;
protected$httpOnly;
private$raw;
protected$sameSite;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

should beprivate

nicolas-grekas, dunglas, and sauplatform reacted with thumbs up emoji
* @param bool $secure Whether the cookie should only be transmitted over a secure HTTPS connection from the client
* @param bool $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
* @param bool $raw Whether the cookie value should be sent with no url encoding
* @param bool|null $sameSite Whether the cookie will be available for cross-site requests

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

string|null

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Whoops.

$this->httpOnly = (bool)$httpOnly;
$this->raw = (bool)$raw;

if (!in_array($sameSite,array(self::SAMESITE_LAX,self::SAMESITE_STRICT,null))) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

You should passtrue as a third argument

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@fabpot
Copy link
Member

Thank you@iangcarroll.

@joergludwig
Copy link

I just spent two hours, trying to make use of the SameSite flag. What I did not know was, that Cookie allows setting of the flag, but Response::sendHeaders() does not handle it. Maybe Response should throw an Exception, that PHP does not yet support sending of the SameSite flag?

@xabbuh
Copy link
Member

Please open a new issue if you think that something is not working as expected.

@ThomHurks
Copy link

Indeed, this "feature" is very misleading as the SameSite attribute is never even passed tosetcookie(), so this doesn't do anything. Reported in#25344
My suggestion is to revert this PR, since it doesn't do anything and is just misleading now. It can be re-added when PHP 7.3 is released which may implement SameSite according to RFChttps://wiki.php.net/rfc/same-site-cookie

joergludwig reacted with thumbs up emoji

@joergludwig
Copy link

Btw: A simple workaround is to add the following line to your apache config:
Header edit Set-Cookie $ "; samesite=lax"

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

12 participants

@iangcarroll@fabpot@joergludwig@xabbuh@ThomHurks@nicolas-grekas@stof@ro0NL@phansys@linaori@javiereguiluz@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp