-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SameSite session cookies #215
Open
mentalstring
wants to merge
1
commit into
FriendsOfSymfony1:master
Choose a base branch
from
mentalstring:samesite-cookies
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This modification tell that there is a BC break.
As the feature is only for
PHP >= 7.3
then current tests should not be touch.But add a test to target specific version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not a BC break. The existence of
['samesite' => '']
in the output of getCookies() does not affect behavior - it gets ignored bysetrawcookie
and doesn't get sent in the header.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BC break does not impact PHP >= 7.3 but for PHP < 7.3.
What is the problem to have behaviour depending on PHP version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The behavior does depend on PHP version: https://github.com/FriendsOfSymfony1/symfony1/pull/215/files#diff-5aa2248855efa9ca1219f04cb7575c93a0a1f4af85e30ff32013bf84afcbf0d5R370-R381
In PHP < 7.3, it calls
session_set_cookie_params
in the original form. In PHP >= 7.3, it uses the new form (passing options as an array, including thesamesite
setting which is a no-op unless a value has been explicitly set). Yes,$response->getCookies()
returns something different, but I don't think returning an extra key in an array from a getter of an internal property should be considered a BC break.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I think
As you said: The behaviour does depend on PHP version.
And tests are a proof that behaviour work as it should.
The tests should expose this behaviour.
getCookies()
is parts of the public interface, not the private one.So it should not lie on what value is passed to PHP internal functions.
It is just my opinion.
Between: the property
$cookies
isprotected
, so part of the public interface.In practice
Let's say that we can spy arguments passed to functions:
session_set_cookie_params
setrawcookie
On those tests, we will see something like that: