PHP 7.3 Same-site Cookies
What is Same Site cookie flag
Same Site cookie, supported in Chrome (51+), Firefox (60+), but not yet in Edge/IE (not surprisingly), is a flag that you can set for cookies. This flag will mark whether the cookie should be sent for cross-site requests. There are three values,
None, that you can decide how you want browsers to enforce it.
samesite=None flag is set, browsers will not enforce SameSite rules at all. Even if browsers start to treat cookies without this flag present as
Lax (which is the case for Chrome 80 and later), setting
None will disable this protection.
When a cookie is marked
samesite=Lax, that cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as
PUT) and XHR requests will not contain this cookie.
If you mark a cookie as
Strict, that cookie will not be sent for any cross-domain requests whatsoever. Even if the user simply navigates to the target site with a regular link, the cookie will not be sent. This might lead to some confusing or downright impractical user experiences, so be careful if you use
Same-Site session cookie in PHP 7.3
PHP 7.3 provides a new
php.ini directive to force PHP to send the
Samesite flag when it sends session cookies. Edit your
php.ini file and add the line below:
You can change the
Lax value to
SameSite=None session cookies, the PHP setting should be used with quotes. This is because in INI,
none is interpreted as
It is up to browsers to assume a default value. Most notably, Chrome 80 and onwards will assume
samesite=Lax in that case.
Samesite flag in custom cookies
PHP 7.3 has a new function signature for setcookie(), where you set the samesite cookie similar to the example below:
setcookie('NAME_OF_A_SESNSISITVE_COOKIE', 'cookie_value', ['samesite' => 'Lax']); setcookie('NAME_OF_A_SUPER_SECURE_COOKIE', 'cookie_value', ['samesite' => 'Strict']); setcookie('NAME_OF_A_MEH_COOKIE', 'cookie_value', ['samesite' => 'None']);