We need the "Partitioned" parameter to be added to setcookie() options.

[Fell-x27]

Description

As stated here (link), soon our cookies with SameSite=None; Secured, without the Partitioned parameter, will stop working.

Currently, there is no capability to add this parameter through setcookie(). A temporary solution could be to use header() to form the header, but it would be better to avoid this.

Google Chrome marks these cookies as deprecated already:

[damianwadley]

Precedent: SameSite was implemented in PHP while the standard was still in draft status, with the rationale being that other libraries had already implemented it. Symfony has added support for Partitioned.

This may require an RFC, if just to decide once and for all whether or not to:
(a) Continue supporting the many-parameter syntax for setcookie(), which is becoming more and more unwieldy as more cookie options are invented, though named parameters does alleviate some of that complexity,
(b) Double-down on the options array, and at the same time I'd question whether the array needs to be locked-down as it is or whether it could be opened up to free-form options (🦶🔫),
(c) Switch to a whole new API entirely, such as an OOP builder.

There is a similar RFC for SameSite that's gone stale.

[nielsdos]

Certainly not hard to implement at our side. Here's a proof-of-concept that adds the option to the setcookie() $options argument: #12652

I'm not sure whether adding the option to the $options array requires an RFC, but probably changing the signature does indeed. I agree with Damian that should be resolved together with "what to do with SameSite argument?" and we should indeed answer the a, b, c questions too.

[Fell-x27]

Certainly not hard to implement at our side. Here's a proof-of-concept that adds the option to the setcookie() $options argument: #12652

I'm not sure whether adding the option to the $options array requires an RFC, but probably changing the signature does indeed. I agree with Damian that should be resolved together with "what to do with SameSite argument?" and we should indeed answer the a, b, c questions too.

Well, the array already allows more than args, so it wasn't a problem before as I see it :)

[westonruter]

Looks like a proof of concept PR has been opened to implement this: #12652

(My bad, I see this was already mentioned above in #12646 (comment))

[DustinAPI]

Google has sent out the notification that 1% of all chrome browsers will be using this on Jan 4, 2024!

https://blog.google/products/chrome/privacy-sandbox-tracking-protection/?utm_campaign=FY24Q2_GL_PRA_CUST_Google-LTI1.3_EN_FOL_CB-60516&utm_medium=email&utm_source=FY24Q2_GL_PRA_CUST_Google-LTI1.3_EN_FOL_CB-60516&utm_content=Product%2FBrand%20Announcement&utm_term=Upcoming%20Google%20Chrome%20changes%20that%20may%20impact%20LTI%20integrations

If this has not been handled elsewhere I think it needs to be put on high priority. Especially the $options version of setcookie as it already added samesite.

[nielsdos]

As requested by Ilija I sent an email to the mailing list to be able to move forward with the PR.

[Fell-x27]

It might also be necessary to include this option in the list of arguments for the session_set_cookie_params function.

[dxh9845]

To be clear, is there an alternative option for setting cookies if the partitioned parameter isn't allowed? I'm looking to support this for a PHP webapp at work that requires cross-site cookies for session management - specifically session_set_cookie_params. Without the Partitioned attribute, Chrome will drop this cookie from being set.

[DustinAPI]

@dxh9845 there are a couple of other alternatives to partitioned cookies suggested by chrome.

https://developers.google.com/privacy-sandbox/3pcd

[snake]

@dxh9845 it's possible, using header() directly (as suggested on the setcookie docs page) . It's not a particularly elegant solution by any measure, but it works just fine for Chrome partitioning support.

[wbdoll]

@dxh9845 I just tried the following and it seems to work. Maybe someone can let us know if this is not a reliable solution.
<?php
session_start();
$id = session_id();
header("Set-Cookie: PHPSESSID=$id; Secure; Path=/; SameSite=None; Partitioned;");
?>