PHP 7.3 Same-site Cookies

Published On08 Dec 2018

PHP 7.3 is now officially released, and it comes with support for SameSite cookie flag!

What is Same Site cookie flag

Same Site cookie, supported in Chrome (51+), Firefox (60+), but not yet in Edge/IE (not surprisingly), is a flag that you can set for cookies. This flag will mark whether the cookie should be sent for cross-site requests. There are three values, Lax and Strict, None, that you can decide how you want browsers to enforce it.

None

If samesite=None flag is set, browsers will not enforce SameSite rules at all. Even if browsers start to treat cookies without this flag present as Lax (which is the case for Chrome 80 and later), setting None will disable this protection.

Lax

When a cookie is marked samesite=Lax, that cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as POST and PUT) and XHR requests will not contain this cookie.

Strict

If you mark a cookie as Strict, that cookie will not be sent for any cross-domain requests whatsoever. Even if the user simply navigates to the target site with a regular link, the cookie will not be sent. This might lead to some confusing or downright impractical user experiences, so be careful if you use Strict cookies.

Same-Site session cookie in PHP 7.3

PHP 7.3 provides a new php.ini directive to force PHP to send the Samesite flag when it sends session cookies. Edit your php.ini file and add the line below:

session.cookie_samesite=Lax

You can change the Lax value to Strict for Strict cookies.

For explicit SameSite=None session cookies, the PHP setting should be used with quotes. This is because in INI, none is interpreted as false.

session.cookie_samesite="None"

It is up to browsers to assume a default value. Most notably, Chrome 80 and onwards will assume samesite=Lax in that case.

Set Samesite flag in custom cookies

PHP 7.3 has a new function signature for setcookie(), where you set the samesite cookie similar to the example below:

setcookie('NAME_OF_A_SESNSISITVE_COOKIE',   'cookie_value', ['samesite' => 'Lax']);
setcookie('NAME_OF_A_SUPER_SECURE_COOKIE',  'cookie_value', ['samesite' => 'Strict']);
setcookie('NAME_OF_A_MEH_COOKIE',           'cookie_value', ['samesite' => 'None']);

WordPress Plugin

If you are using WordPress, I have put together a minimal WordPress plugin: Plugin page here, and Git repo here.

Recent Articles on PHP.Watch

All ArticlesFeed 
How to fix PHP Curl HTTPS Certificate Authority issues on Windows

How to fix PHP Curl HTTPS Certificate Authority issues on Windows

On Windows, HTTPS requests made with the Curl extension can fail because Curl has no root certificate list to validate the server certificates. This article discusses the secure and effective solutions, and highlights bad advice that can leave PHP applications insecure.
AEGIS Encryption with PHP Sodium Extension

AEGIS Encryption with PHP Sodium Extension

The Sodium extension in PHP 8.4 now supports AEGIS-128L and AEGIS256 Authenticated Encryption ciphers. They are significantly faster than AES-GCM and CHACHA20-POLY1305. This article benchmarks them and explains how to securely encrypt and decrypt data using AEGIS-128L and AEGIS256 on PHP.
How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

Install PHP 8.3 and PHP extensions on MacOS with Homebrew.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.