Ayesh Karunaratne: Full-time traveler, freelance software architect and security researcher
Sat, 2018-12-08 11:10
PHP 7.3 is now officially released, and it comes with support for SameSite cookie flag!
What is Same Site cookie flag
Same Site cookie, supported in Chrome (51+), Firefox (60+), but not yet in Edge/IE (not surprisingly), is a flag that you can set for cookies. This flag will mark whether the cookie should be sent for cross-site requests. There are two values,
Strict that you can decide how you want browsers to enforce it.
When a cookie is marked
samesite=Lax, that cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as
PUT) and XHR requests will not contain this cookie.
If you mark a cookie as
Strict, that cookie will not be sent for any cross-domain requests whatsoever. Even if the user simply navigates to the target site with a regular link, the cookie will not be sent. This might lead to some confusing or downright impractical user experiences, so be careful if you use
Same-Site session cookie in PHP 7.3
PHP 7.3 provides a new
php.ini directive to force PHP to send the
Samesite flag when it sends session cookies.
php.ini file and add the line below:
You can of course change the
Lax value to
Samesite flag in custom cookies
PHP 7.3 has a new function signature for setcookie(), where you set the samesite cookie similar to the example below:
setcookie('cookie_name', 'cookie_value', ['samesite' => 'Lax']);