PHP 7.3 Same-site Cookies

Published On2018-12-08

PHP 7.3 is now officially released, and it comes with support for SameSite cookie flag!

What is Same Site cookie flag

Same Site cookie, supported in Chrome (51+), Firefox (60+), but not yet in Edge/IE (not surprisingly), is a flag that you can set for cookies. This flag will mark whether the cookie should be sent for cross-site requests. There are three values, Lax and Strict, None, that you can decide how you want browsers to enforce it.

None

If samesite=None flag is set, browsers will not enforce SameSite rules at all. Even if browsers start to treat cookies without this flag present as Lax (which is the case for Chrome 80 and later), setting None will disable this protection.

Lax

When a cookie is marked samesite=Lax, that cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as POST and PUT) and XHR requests will not contain this cookie.

Strict

If you mark a cookie as Strict, that cookie will not be sent for any cross-domain requests whatsoever. Even if the user simply navigates to the target site with a regular link, the cookie will not be sent. This might lead to some confusing or downright impractical user experiences, so be careful if you use Strict cookies.

Same-Site session cookie in PHP 7.3

PHP 7.3 provides a new php.ini directive to force PHP to send the Samesite flag when it sends session cookies. Edit your php.ini file and add the line below:

session.cookie_samesite=Lax

You can change the Lax value to Strict for Strict cookies.

For explicit SameSite=None session cookies, the PHP setting should be used with quotes. This is because in INI, none is interpreted as false.

session.cookie_samesite="None"

It is up to browsers to assume a default value. Most notably, Chrome 80 and onwards will assume samesite=Lax in that case.

Set Samesite flag in custom cookies

PHP 7.3 has a new function signature for setcookie(), where you set the samesite cookie similar to the example below:

setcookie('NAME_OF_A_SESNSISITVE_COOKIE',   'cookie_value', ['samesite' => 'Lax']);
setcookie('NAME_OF_A_SUPER_SECURE_COOKIE',  'cookie_value', ['samesite' => 'Strict']);
setcookie('NAME_OF_A_MEH_COOKIE',           'cookie_value', ['samesite' => 'None']);

WordPress Plugin

If you are using WordPress, I have put together a minimal WordPress plugin: Plugin page here, and Git repo here.

Recent Articles on PHP.Watch

All ArticlesFeed
PHP 8.1 Is Released!

PHP 8.1 Is Released!

Over 120 people helped shape PHP 8.1! Here are some posters to celebrate our loud!
Modern PHP data Encryption/Decryption with Sodium extension

Modern PHP data Encryption/Decryption with Sodium extension

An in-depth guide on public-key and secret-key cryptography with Sodium extension in PHP.
Compressed HTTP Requests with Curl and PHP

Compressed HTTP Requests with Curl and PHP

How to make fast and efficient HTTP(S) requests via Curl using transfer encodings such as gzip, zstd, Brotli, and deflate.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.