PHP setcookie"SameSite = Strict"? [英] PHP setcookie "SameSite=Strict"?

问题描述

我最近阅读了"Same Site"属性上的"RFC 6265"，我看了一些有关2016年4月的文章，"Chrome 51和Opera 39中实现了" same-site"属性...

I recently read "RFC 6265" on the attribute "Same Site", I looked at some articles that talked about that in April 2016, "same-site" attribute has been implemented for Chrome 51 and Opera 39 ...

我想知道当前的PHP是否支持使用此属性创建cookie?

I wonder if current PHP supports creating cookies with this attribute?

参考:

• Chrome的chromestatus.com
功能文档
• Chrome最初采用的HTTPbis草案
• 最新的HTTPbis草案

• Feature documentation on Chrome’s chromestatus.com
• HTTPbis draft first adopted by Chrome
• Latest HTTPbis draft

推荐答案

[重要更新:正如@caw在下面指出的那样，此黑客

[Important update: As @caw pointed out below, this hack WILL BREAK in PHP 7.3. Stop using it now to save yourself from unpleasant surprises! Or at least wrap it in a PHP version check like if (PHP_VERSION_ID < 70300) { ... } else { ... }.]

似乎您可以滥用PHP的"setcookie"函数的"path"或"domain"参数来偷偷使用SameSite属性，因为PHP不能转义分号:

It seems like you can abuse the "path" or "domain" parameter of PHP's "setcookie" function to sneak in the SameSite attribute because PHP does not escape semicolons:

setcookie('samesite-test', '1', 0, '/; samesite=strict');

然后PHP发送以下HTTP标头:

Then PHP sends the following HTTP header:

Set-Cookie:samesite-test = 1;路径=/; samesite = strict

Set-Cookie: samesite-test=1; path=/; samesite=strict

几分钟前，我刚刚发现了这个问题，因此请进行您自己的测试！我正在使用PHP 7.1.11.

I've just discovered this a few minutes ago, so please do your own testing! I'm using PHP 7.1.11.

这篇关于PHP setcookie"SameSite = Strict"?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！