PHP setcookie"SameSite = Strict"?
我最近阅读了"Same Site"属性上的"RFC 6265",我看了一些有关2016年4月的文章,"Chrome 51和Opera 39中实现了" same-site"属性...
I recently read "RFC 6265" on the attribute "Same Site", I looked at some articles that talked about that in April 2016, "same-site" attribute has been implemented for Chrome 51 and Opera 39 ...
我想知道当前的PHP是否支持使用此属性创建cookie?
I wonder if current PHP supports creating cookies with this attribute?
参考:
- Feature documentation on Chrome’s
chromestatus.com - HTTPbis draft first adopted by Chrome
- Latest HTTPbis draft
[Important update: As @caw pointed out below, this hack WILL BREAK in PHP 7.3. Stop using it now to save yourself from unpleasant surprises! Or at least wrap it in a PHP version check like if (PHP_VERSION_ID < 70300) { ... } else { ... }.]
似乎您可以滥用PHP的"setcookie"函数的"path"或"domain"参数来偷偷使用SameSite属性,因为PHP不能转义分号:
It seems like you can abuse the "path" or "domain" parameter of PHP's "setcookie" function to sneak in the SameSite attribute because PHP does not escape semicolons:
setcookie('samesite-test', '1', 0, '/; samesite=strict');
然后PHP发送以下HTTP标头:
Then PHP sends the following HTTP header:
Set-Cookie:samesite-test = 1;路径=/; samesite = strict
Set-Cookie: samesite-test=1; path=/; samesite=strict
几分钟前,我刚刚发现了这个问题,因此请进行您自己的测试!我正在使用PHP 7.1.11.
I've just discovered this a few minutes ago, so please do your own testing! I'm using PHP 7.1.11.