PHP 7.3 Same-site Cookies

Sat, 2018-12-08 11:10

PHP 7.3 is now officially released, and it comes with support for SameSite cookie flag!

What is Same Site cookie flag

Same Site cookie, supported in Chrome (51+), Firefox (60+), but not yet in Edge/IE (not surprisingly), is a flag that you can set for cookies. This flag will mark whether the cookie should be sent for cross-site requests. There are two values, Lax and Strict that you can decide how you want browsers to enforce it.

Lax

When a cookie is marked samesite=Lax, that cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as POST and PUT) and XHR requests will not contain this cookie.

Strict

If you mark a cookie as Strict, that cookie will not be sent for any cross-domain requests whatsoever. Even if the user simply navigates to the target site with a regular link, the cookie will not be sent. This might lead to some confusing or downright impractical user experiences, so be careful if you use Strict cookies.

Same-Site session cookie in PHP 7.3

PHP 7.3 provides a new php.ini directive to force PHP to send the Samesite flag when it sends session cookies.

Edit your php.ini file and add the line below:

session.cookie_samesite=Lax

You can of course change the Lax value to Strict for Strict cookies.

Set Samesite flag in custom cookies

PHP 7.3 has a new function signature for setcookie(), where you set the samesite cookie similar to the example below:

setcookie('cookie_name', 'cookie_value', ['samesite' => 'Lax']);