[VOTE] Same Site Cookie RFC

  100304
August 25, 2017 21:19 f.bosch@genkgo.nl (Frederik Bosch)
LS,

Just now, I opened the RFC on implementing same site cookies in PHP, 
https://wiki.php.net/rfc/same-site-cookie, for voting.

It consists of two questions, depending on the implementation you would 
like to see of the feature. Both questions will affect the API of four 
core functions: setcookie, setrawcookie, session_set_cookie_params and 
session_get_cookie_params. The first three functions have a similar 
function signature. The first implementation suggestion is to add an 
additional argument to these three functions. The second implementation 
suggestion is to allow an array of options in which all the cookie 
options will be moved into. More details are to be found in the RFC.

Hopefully, the samesite cookie flag will become a feature of the PHP 
language through this RFC!

Kind regards,
Frederik Bosch
  100305
August 25, 2017 22:18 danack@basereality.com (Dan Ackroyd)
On 25 August 2017 at 22:19, Frederik Bosch bosch@genkgo.nl> wrote:
> LS, > > Just now, I opened the RFC on implementing same site cookies in PHP, > https://wiki.php.net/rfc/same-site-cookie, for voting.
Please be explicit:
> Proposed PHP Version(s) > next PHP 7.x
It's really late in the day for 7.2. Although people might still vote for it, the RFC needs to be explicit about which version it is for. cheers Dan
  100307
August 25, 2017 22:25 f.bosch@genkgo.nl (Frederik Bosch)
Hi Dan,

While I agree on your statement that it is late for 7.2, I believe the 
text is explicit enough. Since features for PHP 7.2 are frozen, 
according to the rules this should go for the version thereafter. 
However, if a release managers wants to pick up it and embed in 7.2, I 
am not going to protest. Things considered, I see no reason to change 
the sentence.

Best,
Frederik



On 26-08-17 00:18, Dan Ackroyd wrote:
> On 25 August 2017 at 22:19, Frederik Bosch bosch@genkgo.nl> wrote: >> LS, >> >> Just now, I opened the RFC on implementing same site cookies in PHP, >> https://wiki.php.net/rfc/same-site-cookie, for voting. > Please be explicit: > >> Proposed PHP Version(s) >> next PHP 7.x > > It's really late in the day for 7.2. Although people might still vote > for it, the RFC needs to be explicit about which version it is for. > > > cheers > Dan
  100309
August 25, 2017 23:10 pollita@php.net (Sara Golemon)
On Fri, Aug 25, 2017 at 6:18 PM, Dan Ackroyd <danack@basereality.com> wrote:
> On 25 August 2017 at 22:19, Frederik Bosch bosch@genkgo.nl> wrote: >> LS, >> >> Just now, I opened the RFC on implementing same site cookies in PHP, >> https://wiki.php.net/rfc/same-site-cookie, for voting. > > Please be explicit: > >> Proposed PHP Version(s) >> next PHP 7.x > > > It's really late in the day for 7.2. Although people might still vote > for it, the RFC needs to be explicit about which version it is for. > > In my opinion it's too late for 7.2 especially as it contains an ABI
break which at best will be annoying for the folks helping us test. The primary vote should be about 7.3 and if this wants to land on 7.2 there should be a separate vote for that. -Sara
  100310
August 26, 2017 06:21 Remi Collet <remi@fedoraproject.org>
--Ket6F1I5VMt6riI0hxoEWeqCKGTQgDg8l
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Le 26/08/2017 =C3=A0 01:10, Sara Golemon a =C3=A9crit=C2=A0:

> In my opinion it's too late for 7.2 especially as it contains an ABI > break which at best will be annoying for the folks helping us test. > The primary vote should be about 7.3 and if this wants to land on 7.2 > there should be a separate vote for that.
+1 BTW, choice 1 seems awfull but preserve BC Perhaps choice 2 could be implemented in a BC way, allowing both proto Ex for session_set_cookie_params Parse arg 2 as an optional zval if arg2 is an array if argc > 2 error else new proto, array of options else old proto Remi. --Ket6F1I5VMt6riI0hxoEWeqCKGTQgDg8l--
  100311
August 26, 2017 15:34 f.bosch@genkgo.nl (Frederik Bosch)
Hi Sara,

Thanks for clearing this. I have no intension to have it merged in 7.2 
so I updated the RFC to specifically mention it is for 7.3. If other 
people want to have it in 7.2, they can start a new RFC to make that happen.

Best,
Frederik



On 26-08-17 01:10, Sara Golemon wrote:
> On Fri, Aug 25, 2017 at 6:18 PM, Dan Ackroyd <danack@basereality.com> wrote: >> On 25 August 2017 at 22:19, Frederik Bosch bosch@genkgo.nl> wrote: >>> LS, >>> >>> Just now, I opened the RFC on implementing same site cookies in PHP, >>> https://wiki.php.net/rfc/same-site-cookie, for voting. >> Please be explicit: >> >>> Proposed PHP Version(s) >>> next PHP 7.x >> >> It's really late in the day for 7.2. Although people might still vote >> for it, the RFC needs to be explicit about which version it is for. >> >> > In my opinion it's too late for 7.2 especially as it contains an ABI > break which at best will be annoying for the folks helping us test. > The primary vote should be about 7.3 and if this wants to land on 7.2 > there should be a separate vote for that. > > -Sara
  100312
August 27, 2017 09:54 lars@strojny.net (Lars Strojny)
Hi Sara, hi Frederik,

Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2

cu,
Lars

Sent from my electronic toy

> On 26. Aug 2017, at 17:34, Frederik Bosch bosch@genkgo.nl> wrote: > > Hi Sara, > > Thanks for clearing this. I have no intension to have it merged in 7.2 so I updated the RFC to specifically mention it is for 7.3. If other people want to have it in 7.2, they can start a new RFC to make that happen. > > Best, > Frederik > > > >> On 26-08-17 01:10, Sara Golemon wrote: >>> On Fri, Aug 25, 2017 at 6:18 PM, Dan Ackroyd <danack@basereality.com> wrote: >>>> On 25 August 2017 at 22:19, Frederik Bosch bosch@genkgo.nl> wrote: >>>> LS, >>>> >>>> Just now, I opened the RFC on implementing same site cookies in PHP, >>>> https://wiki.php.net/rfc/same-site-cookie, for voting. >>> Please be explicit: >>> >>>> Proposed PHP Version(s) >>>> next PHP 7.x >>> >>> It's really late in the day for 7.2. Although people might still vote >>> for it, the RFC needs to be explicit about which version it is for. >>> >>> >> In my opinion it's too late for 7.2 especially as it contains an ABI >> break which at best will be annoying for the folks helping us test. >> The primary vote should be about 7.3 and if this wants to land on 7.2 >> there should be a separate vote for that. >> >> -Sara > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php
  100315
August 28, 2017 15:04 pollita@php.net (Sara Golemon)
On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny <lars@strojny.net> wrote:
> Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2 > Mmmm, not quite. IF you want to aim for 7.2, do it now in the same
vote. Back porting is sub-optimal and there's not a rush to land it on 7.3. The time sensitive part is 7.2. FTR, I'll be voting "No" on a 7.2, and I've already submitted my yes vote for 7.3 (options array variant). -Sara
  100316
August 28, 2017 15:23 narf@devilix.net (Andrey Andreev)
Hi,

On Mon, Aug 28, 2017 at 6:04 PM, Sara Golemon <pollita@php.net> wrote:
> On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny <lars@strojny.net> wrote: >> Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2 >> > Mmmm, not quite. IF you want to aim for 7.2, do it now in the same > vote. Back porting is sub-optimal and there's not a rush to land it > on 7.3. The time sensitive part is 7.2. >
I second this. In fact, there was a competing idea/RFC when the discussion started, but the author of this one insisted that there's no time to wait for that. To me, it doesn't make sense to rush this (compared to alternative ideas) if it doesn't get into 7.2. Cheers, Andrey.
  100317
August 28, 2017 15:34 f.bosch@genkgo.nl (Frederik Bosch | Genkgo)
Hi Andrey,

While I agree on your statement that back-porting is suboptimal, I do 
not agree on the fact that I said that there was no time to wait. I 
submitted the RFC, awaited the opinions, changed the document according 
to the different viewpoints and I link to the other RFC from this RFC. I 
do not want to 'push' this through. I think we know the opinions, so it 
is time to vote. If both suggestions from this RFC don't make, then 
people can go for other solutions.

Best,
Frederik



On 28-08-17 17:23, Andrey Andreev wrote:
> Hi, > > On Mon, Aug 28, 2017 at 6:04 PM, Sara Golemon <pollita@php.net> wrote: >> On Sun, Aug 27, 2017 at 5:54 AM, Lars Strojny <lars@strojny.net> wrote: >>> Sounds good! Let's vote in getting it in first and then we can have a 2nd RFC (and vote) if it should land in 7.2 >>> >> Mmmm, not quite. IF you want to aim for 7.2, do it now in the same >> vote. Back porting is sub-optimal and there's not a rush to land it >> on 7.3. The time sensitive part is 7.2. >> > I second this. > > In fact, there was a competing idea/RFC when the discussion started, > but the author of this one insisted that there's no time to wait for > that. To me, it doesn't make sense to rush this (compared to > alternative ideas) if it doesn't get into 7.2. > > Cheers, > Andrey.
  100318
August 28, 2017 15:58 narf@devilix.net (Andrey Andreev)
Hi Frederik,

On Mon, Aug 28, 2017 at 6:34 PM, Frederik Bosch | Genkgo
bosch@genkgo.nl> wrote:
> Hi Andrey, > > While I agree on your statement that back-porting is suboptimal, I do not > agree on the fact that I said that there was no time to wait. I submitted > the RFC, awaited the opinions, changed the document according to the > different viewpoints and I link to the other RFC from this RFC. I do not > want to 'push' this through. I think we know the opinions, so it is time to > vote. If both suggestions from this RFC don't make, then people can go for > other solutions. >
You did wait for, and adjust according to suggestions, I'm not questioning that. I was referring to this message: https://externals.io/message/99884#99893 If you want this to land in 7.2 (i.e. not "take a while before we see samesite cookie implemented"), then there really is no time to wait. I'm not being negative here ... I'm using this as an argument to make the vote for 7.2 now. Otherwise, we have an entire year to polish all the details in time for 7.3. Cheers, Andrey.
  100319
August 28, 2017 16:10 f.bosch@genkgo.nl (Frederik Bosch | Genkgo)
Hi Andrey,

Little misunderstanding then. I agree we can better have this PHP 7.3 
and take some time for it. Current votes also suggest that we should go 
for the array argument implementation. Since there is only a PR for the 
extra argument implementation, it will also take time to have the PR for 
the array argument implementation ready. Taken that into account, we 
should not want this in 7.2.

Best,
Frederik



On 28-08-17 17:58, Andrey Andreev wrote:
> Hi Frederik, > > On Mon, Aug 28, 2017 at 6:34 PM, Frederik Bosch | Genkgo > bosch@genkgo.nl> wrote: >> Hi Andrey, >> >> While I agree on your statement that back-porting is suboptimal, I do not >> agree on the fact that I said that there was no time to wait. I submitted >> the RFC, awaited the opinions, changed the document according to the >> different viewpoints and I link to the other RFC from this RFC. I do not >> want to 'push' this through. I think we know the opinions, so it is time to >> vote. If both suggestions from this RFC don't make, then people can go for >> other solutions. >> > You did wait for, and adjust according to suggestions, I'm not questioning that. > > I was referring to this message: https://externals.io/message/99884#99893 > > If you want this to land in 7.2 (i.e. not "take a while before we see > samesite cookie implemented"), then there really is no time to wait. > I'm not being negative here ... I'm using this as an argument to make > the vote for 7.2 now. > Otherwise, we have an entire year to polish all the details in time for 7.3. > > Cheers, > Andrey.
-- Frederik Bosch Partner Genkgo logo Mail: f.bosch@genkgo.nl <mailto:f.bosch@genkgo.nl> Web: support.genkgo.com <https://support.genkgo.com> Entrada 123 Amsterdam +31 208 943 931 Genkgo B.V. staat geregistreerd bij de Kamer van Koophandel onder nummer 56501153
  100320
August 28, 2017 16:20 pollita@php.net (Sara Golemon)
On Mon, Aug 28, 2017 at 12:10 PM, Frederik Bosch | Genkgo bosch@genkgo.nl
> wrote:
> Little misunderstanding then. I agree we can better have this PHP 7.3 and > take some time for it. Current votes also suggest that we should go for the > array argument implementation. Since there is only a PR for the extra > argument implementation, it will also take time to have the PR for the > array argument implementation ready. Taken that into account, we should not > want this in 7.2. > Indeed, yes. Assuming the votes continue on this sharp lean towards the
array option, we should just forget all notions of trying to sneak this into 7.2. Direct calls in 7.2 and earlier can easily fall back on calling header('Set-Cookie: ...'); manually, while sessions support is slightly more complex, but still doable from userspace. I expect if need is deemed high for this, a drop-in composer package can do 90% of the work automatically. -Sara
  100323
August 28, 2017 21:16 lars@strojny.net (Lars Strojny)
Hi Sara, hi Frederik,

 

Thinking more about this I came to change my vote (and for that reason I’ll take back the suggestion to include it into 7.2):

 
The array API is the better API and allows for healthier future growth so we should pursue that option 
There is a (very ugly) workaround to set a same site policy by misusing the “session.cookie_path” or “session.cookie_domain” setting (e.g. set it to “/; SameSite=Strict”, you are welcome, Internet).
 

cu,

Lars

 

 

On 28.08.17, 18:20, "Sara Golemon" <php@golemon.com on behalf of pollita@php.net> wrote:

 

On Mon, Aug 28, 2017 at 12:10 PM, Frederik Bosch | Genkgo bosch@genkgo.nl> wrote:

Little misunderstanding then. I agree we can better have this PHP 7.3 and take some time for it. Current votes also suggest that we should go for the array argument implementation. Since there is only a PR for the extra argument implementation, it will also take time to have the PR for the array argument implementation ready. Taken that into account, we should not want this in 7.2.

Indeed, yes. Assuming the votes continue on this sharp lean towards the array option, we should just forget all notions of trying to sneak this into 7.2.

 

Direct calls in 7.2 and earlier can easily fall back on calling header('Set-Cookie: ...'); manually, while sessions support is slightly more complex, but still doable from userspace.  I expect if need is deemed high for this, a drop-in composer package can do 90% of the work automatically.

-Sara
  100313
August 28, 2017 09:24 ajf@ajf.me (Andrea Faulds)
Hi,

Frederik Bosch wrote:
> LS, > > Just now, I opened the RFC on implementing same site cookies in PHP, > https://wiki.php.net/rfc/same-site-cookie, for voting.
Correct me if I'm wrong, but wasn't the RFC only put to internals a week ago? That's not a long enough discussion period before opening voting, https://wiki.php.net/rfc/howto says it should be at least 2 weeks. Regards. -- Andrea Faulds https://ajf.me/
  100314
August 28, 2017 15:01 theodorejb@outlook.com (Theodore Brown)
On Monday, August 28, 2017 4:24 AM Andrea Faulds wrote:

> Correct me if I'm wrong, but wasn't the RFC only put to internals a week > ago? That's not a long enough discussion period before opening voting, > https://wiki.php.net/rfc/howto says it should be at least 2 weeks.
The current RFC was put to internals on July 24, over a month ago (in the "[RFC] samesite cookie implementation" thread). Theodore Brown
  100325
August 29, 2017 11:33 ajf@ajf.me (Andrea Faulds)
Hi Theodore,

Theodore Brown wrote:
> On Monday, August 28, 2017 4:24 AM Andrea Faulds wrote: > >> Correct me if I'm wrong, but wasn't the RFC only put to internals a week >> ago? That's not a long enough discussion period before opening voting, >> https://wiki.php.net/rfc/howto says it should be at least 2 weeks. > > The current RFC was put to internals on July 24, over a month ago > (in the "[RFC] samesite cookie implementation" thread).
Ah, you're right of course, my apologies to everyone. I was quite tired yesterday and I think I misread “2017-07-17” as “2017-08-17”. -- Andrea Faulds https://ajf.me/
  100321
August 28, 2017 19:06 smalyshev@gmail.com (Stanislav Malyshev)
Hi!

> additional argument to these three functions. The second implementation > suggestion is to allow an array of options in which all the cookie > options will be moved into. More details are to be found in the RFC.
Something not clear to me on the second one - why lifetime/expiration is a separate parameter while all others are part of $options? -- Stas Malyshev smalyshev@gmail.com
  100322
August 28, 2017 19:53 f.bosch@genkgo.nl (Frederik Bosch)
Hi Stanislav,

My reasoning for this is as follows.

1. The session_set_cookie_params function requires a lifetime parameter 
at the moment.

2. To enforce that lifetime stays required I did not want to make it 
required within the optional array. That would make that optional array 
not optional anymore, and even have a required key. I don't think that 
is a good idea.

3. To prevent that the array of options is different between the three 
functions (session_set_cookie_params, setcookie, setrawcookie), I chose 
to exclude lifetime from the array of options and include it in the list 
of arguments.

Hence, I chose a consistent and logical API over the three functions 
together rather than having logical ones per function. Hope it makes sense.

Best,
Frederik




On 28-08-17 21:06, Stanislav Malyshev wrote:
> Hi! > >> additional argument to these three functions. The second implementation >> suggestion is to allow an array of options in which all the cookie >> options will be moved into. More details are to be found in the RFC. > Something not clear to me on the second one - why lifetime/expiration is > a separate parameter while all others are part of $options? >
  100839
October 8, 2017 07:46 me@kelunik.com (Niklas Keller)
There are no voting dates in the RFC, but it's open for over a month now.

I guess it can be closed.

Regards, Niklas

2017-08-25 23:19 GMT+02:00 Frederik Bosch bosch@genkgo.nl>:

> LS, > > Just now, I opened the RFC on implementing same site cookies in PHP, > https://wiki.php.net/rfc/same-site-cookie, for voting. > > It consists of two questions, depending on the implementation you would > like to see of the feature. Both questions will affect the API of four core > functions: setcookie, setrawcookie, session_set_cookie_params and > session_get_cookie_params. The first three functions have a similar > function signature. The first implementation suggestion is to add an > additional argument to these three functions. The second implementation > suggestion is to allow an array of options in which all the cookie options > will be moved into. More details are to be found in the RFC. > > Hopefully, the samesite cookie flag will become a feature of the PHP > language through this RFC! > > Kind regards, > Frederik Bosch > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
  100845
October 10, 2017 06:00 f.bosch@genkgo.nl (Frederik Bosch)
Hi Niklas,

Sorry for the delay. I have my mind on totally different things these 
days. Closed the voting and moved it to accepted. Thanks everyone for 
voting! Now, let's implement this RFC!

Best regards,
Frederik



On 08-10-17 09:46, Niklas Keller wrote:
> There are no voting dates in the RFC, but it's open for over a month now. > > I guess it can be closed. > > Regards, Niklas > > 2017-08-25 23:19 GMT+02:00 Frederik Bosch bosch@genkgo.nl > <mailto:f.bosch@genkgo.nl>>: > > LS, > > Just now, I opened the RFC on implementing same site cookies in > PHP, https://wiki.php.net/rfc/same-site-cookie > <https://wiki.php.net/rfc/same-site-cookie>, for voting. > > It consists of two questions, depending on the implementation you > would like to see of the feature. Both questions will affect the > API of four core functions: setcookie, setrawcookie, > session_set_cookie_params and session_get_cookie_params. The first > three functions have a similar function signature. The first > implementation suggestion is to add an additional argument to > these three functions. The second implementation suggestion is to > allow an array of options in which all the cookie options will be > moved into. More details are to be found in the RFC. > > Hopefully, the samesite cookie flag will become a feature of the > PHP language through this RFC! > > Kind regards, > Frederik Bosch > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >