PHP 7.3 Same-site Cookies

Published On2018-12-08

PHP 7.3 is now officially released, and it comes with support for SameSite cookie flag!

What is Same Site cookie flag

Same Site cookie, supported in Chrome (51+), Firefox (60+), but not yet in Edge/IE (not surprisingly), is a flag that you can set for cookies. This flag will mark whether the cookie should be sent for cross-site requests. There are three values, Lax and Strict, None, that you can decide how you want browsers to enforce it.

None

If samesite=None flag is set, browsers will not enforce SameSite rules at all. Even if browsers start to treat cookies without this flag present as Lax (which is the case for Chrome 80 and later), setting None will disable this protection.

Lax

When a cookie is marked samesite=Lax, that cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as POST and PUT) and XHR requests will not contain this cookie.

Strict

If you mark a cookie as Strict, that cookie will not be sent for any cross-domain requests whatsoever. Even if the user simply navigates to the target site with a regular link, the cookie will not be sent. This might lead to some confusing or downright impractical user experiences, so be careful if you use Strict cookies.

Same-Site session cookie in PHP 7.3

PHP 7.3 provides a new php.ini directive to force PHP to send the Samesite flag when it sends session cookies. Edit your php.ini file and add the line below:

session.cookie_samesite=Lax

You can change the Lax value to Strict for Strict cookies.

For explicit SameSite=None session cookies, the PHP setting should be used with quotes. This is because in INI, none is interpreted as false.

session.cookie_samesite="None"

It is up to browsers to assume a default value. Most notably, Chrome 80 and onwards will assume samesite=Lax in that case.

Set Samesite flag in custom cookies

PHP 7.3 has a new function signature for setcookie(), where you set the samesite cookie similar to the example below:

setcookie('NAME_OF_A_SESNSISITVE_COOKIE',   'cookie_value', ['samesite' => 'Lax']);
setcookie('NAME_OF_A_SUPER_SECURE_COOKIE',  'cookie_value', ['samesite' => 'Strict']);
setcookie('NAME_OF_A_MEH_COOKIE',           'cookie_value', ['samesite' => 'None']);

WordPress Plugin

If you are using WordPress, I have put together a minimal WordPress plugin: Plugin page here, and Git repo here.

Recent Articles on PHP.Watch

All ArticlesFeed 
Get Composer to suggest dev packages to `require-dev`

Get Composer to suggest dev packages to require-dev

Composer 2.4 comes with a feature that it prompts during a composer require to install packages as require-dev dependencies when certain keywords are present. Development tools and libraries now can make use of this feature to mark themselves, so Composer uses the prompt when suitable.
Security considerations when parsing user-provided INI strings and files

Security considerations when parsing user-provided INI strings and files

Security considerations when parsing user-provided INI strings and files using parse_ini_string and parse_ini_file functions.
How to extend lifetime of legacy PHP applications

How to extend lifetime of legacy PHP applications

As PHP continue to evolve with new breaking changes, and while that is great for most PHP applications, there are legacy applications that can't justify the human and financial cost of keeping up. Here is a guide on how to extend the lifetime of legacy PHP applications with security updates and maintenance.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.