SameSite cookie support

Version7.3
TypeNew Feature

PHP 7.3 now supports the SameSite flag in cookies.

This flag controls whether the cookie needs to be sent in cross-site requests. See the excellent article on web.dev on how to use it.

I have written a separate post about using SameSite cookies in PHP that explains how to use this flag in session cookies.

In order to set the SameSite flag, you can pass an array of options to the setcookie() function:

setcookie('cookie_name', 'cookie_value, [
  'samesite' => 'Lax', // Allowed values: "Lax" or "Strict"
  'expires' => time() + 86400,
]);

Backwards compatibility impact

This uses the new syntax supported setcookie function for setting cookie flags. Since this is the new syntax, there should be no backwards compatibility issues. However, if you would like to use this feature in your projects, you will either need to raise the minimum PHP version to 7.3, or use a custom header() function call to manually set the cookie.

RFC Implementation