From 744fd4c867135ee8f1053494af204c84384e4548 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Fri, 10 Nov 2023 23:50:24 +0100 Subject: [PATCH 1/2] Implement proof-of-concept partitioned option for setcookie --- ext/standard/head.c | 20 ++++++++++++++----- ext/standard/head.h | 17 ++++++++-------- ext/standard/tests/network/setcookie.phpt | 4 +++- .../network/setcookie_array_option_error.phpt | 7 +++++++ 4 files changed, 34 insertions(+), 14 deletions(-) diff --git a/ext/standard/head.c b/ext/standard/head.c index ccef4be16bdfd..0b497fdc42aab 100644 --- a/ext/standard/head.c +++ b/ext/standard/head.c @@ -79,7 +79,7 @@ PHPAPI bool php_header(void) #define ILLEGAL_COOKIE_CHARACTER "\",\", \";\", \" \", \"\\t\", \"\\r\", \"\\n\", \"\\013\", or \"\\014\"" PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t expires, zend_string *path, zend_string *domain, bool secure, bool httponly, - zend_string *samesite, bool url_encode) + zend_string *samesite, bool partitioned, bool url_encode) { zend_string *dt; sapi_header_line ctr = {0}; @@ -117,6 +117,11 @@ PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t e return FAILURE; } #endif + if (partitioned && !secure) { + zend_value_error("%s(): \"partitioned\" option cannot be used without \"secure\" option", + get_active_function_name()); + return FAILURE; + } /* Should check value of SameSite? */ @@ -182,6 +187,9 @@ PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t e smart_str_appends(&buf, COOKIE_SAMESITE); smart_str_append(&buf, samesite); } + if (partitioned) { + smart_str_appends(&buf, COOKIE_PARTITIONED); + } ctr.line = ZSTR_VAL(buf.s); ctr.line_len = (uint32_t) ZSTR_LEN(buf.s); @@ -192,7 +200,7 @@ PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t e } static zend_result php_head_parse_cookie_options_array(HashTable *options, zend_long *expires, zend_string **path, - zend_string **domain, bool *secure, bool *httponly, zend_string **samesite) + zend_string **domain, bool *secure, bool *httponly, zend_string **samesite, bool *partitioned) { zend_string *key; zval *value; @@ -214,6 +222,8 @@ static zend_result php_head_parse_cookie_options_array(HashTable *options, zend_ *httponly = zval_is_true(value); } else if (zend_string_equals_literal_ci(key, "samesite")) { *samesite = zval_get_string(value); + } else if (zend_string_equals_literal_ci(key, "partitioned")) { + *partitioned = zval_is_true(value); } else { zend_value_error("%s(): option \"%s\" is invalid", get_active_function_name(), ZSTR_VAL(key)); return FAILURE; @@ -227,7 +237,7 @@ static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw) HashTable *options = NULL; zend_long expires = 0; zend_string *name, *value = NULL, *path = NULL, *domain = NULL, *samesite = NULL; - bool secure = 0, httponly = 0; + bool secure = 0, httponly = 0, partitioned = false; ZEND_PARSE_PARAMETERS_START(1, 7) Z_PARAM_STR(name) @@ -248,13 +258,13 @@ static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw) } if (FAILURE == php_head_parse_cookie_options_array(options, &expires, &path, - &domain, &secure, &httponly, &samesite) + &domain, &secure, &httponly, &samesite, &partitioned) ) { goto cleanup; } } - if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, !is_raw) == SUCCESS) { + if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, partitioned, !is_raw) == SUCCESS) { RETVAL_TRUE; } else { RETVAL_FALSE; diff --git a/ext/standard/head.h b/ext/standard/head.h index 32c2570a53255..0272fec2dc215 100644 --- a/ext/standard/head.h +++ b/ext/standard/head.h @@ -17,19 +17,20 @@ #ifndef HEAD_H #define HEAD_H -#define COOKIE_EXPIRES "; expires=" -#define COOKIE_MAX_AGE "; Max-Age=" -#define COOKIE_DOMAIN "; domain=" -#define COOKIE_PATH "; path=" -#define COOKIE_SECURE "; secure" -#define COOKIE_HTTPONLY "; HttpOnly" -#define COOKIE_SAMESITE "; SameSite=" +#define COOKIE_EXPIRES "; expires=" +#define COOKIE_MAX_AGE "; Max-Age=" +#define COOKIE_DOMAIN "; domain=" +#define COOKIE_PATH "; path=" +#define COOKIE_SECURE "; secure" +#define COOKIE_HTTPONLY "; HttpOnly" +#define COOKIE_SAMESITE "; SameSite=" +#define COOKIE_PARTITIONED "; Partitioned" extern PHP_RINIT_FUNCTION(head); PHPAPI bool php_header(void); PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t expires, zend_string *path, zend_string *domain, bool secure, bool httponly, - zend_string *samesite, bool url_encode); + zend_string *samesite, bool partitioned, bool url_encode); #endif diff --git a/ext/standard/tests/network/setcookie.phpt b/ext/standard/tests/network/setcookie.phpt index f43680a5bceae..caf9aa9ae0763 100644 --- a/ext/standard/tests/network/setcookie.phpt +++ b/ext/standard/tests/network/setcookie.phpt @@ -19,6 +19,7 @@ setcookie('name', 'value', 0, '', '', FALSE, TRUE); setcookie('name', 'value', ['expires' => $tsp]); setcookie('name', 'value', ['expires' => $tsn, 'path' => '/path/', 'domain' => 'domain.tld', 'secure' => true, 'httponly' => true, 'samesite' => 'Strict']); +setcookie('name', 'value', ['secure' => true, 'partitioned' => true]); $expected = array( 'Set-Cookie: name=deleted; expires='.date('D, d M Y H:i:s', 1).' GMT; Max-Age=0', @@ -34,7 +35,8 @@ $expected = array( 'Set-Cookie: name=value; secure', 'Set-Cookie: name=value; HttpOnly', 'Set-Cookie: name=value; expires='.date('D, d M Y H:i:s', $tsp).' GMT; Max-Age=5', - 'Set-Cookie: name=value; expires='.date('D, d M Y H:i:s', $tsn).' GMT; Max-Age=0; path=/path/; domain=domain.tld; secure; HttpOnly; SameSite=Strict' + 'Set-Cookie: name=value; expires='.date('D, d M Y H:i:s', $tsn).' GMT; Max-Age=0; path=/path/; domain=domain.tld; secure; HttpOnly; SameSite=Strict', + 'Set-Cookie: name=value; secure; Partitioned' ); $headers = headers_list(); diff --git a/ext/standard/tests/network/setcookie_array_option_error.phpt b/ext/standard/tests/network/setcookie_array_option_error.phpt index ad4caf35108fa..0fb2ae011c31a 100644 --- a/ext/standard/tests/network/setcookie_array_option_error.phpt +++ b/ext/standard/tests/network/setcookie_array_option_error.phpt @@ -37,6 +37,12 @@ try { } catch (\ValueError $e) { echo $e->getMessage() . "\n"; } +// Partitioned without secure +try { + setcookie('name', 'value', ['partitioned' => true]); +} catch (\ValueError $e) { + echo $e->getMessage() . "\n"; +} // Arguments after options array (will not be set) try { @@ -66,6 +72,7 @@ setcookie(): option array cannot have numeric keys setcookie(): option "foo" is invalid setcookie(): "path" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", or "\014" setcookie(): "domain" option cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", or "\014" +setcookie(): "partitioned" option cannot be used without "secure" option setcookie(): Expects exactly 3 arguments when argument #3 ($expires_or_options) is an array bool(true) array(1) { From 832ea242b39f20f1a2a211ef25e8739a3e91e4e1 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 14 Jul 2025 21:57:58 +0200 Subject: [PATCH 2/2] Add support for ext/session --- ext/session/php_session.h | 1 + ext/session/session.c | 26 ++++++++++ .../session_get_cookie_params_basic.phpt | 38 +++++++++++++-- .../session_get_cookie_params_variation1.phpt | 47 ++++++++++++++++--- .../tests/session_start_partitioned.phpt | 31 ++++++++++++ .../session_start_partitioned_headers.phpt | 13 +++++ php.ini-development | 3 ++ php.ini-production | 3 ++ 8 files changed, 151 insertions(+), 11 deletions(-) create mode 100644 ext/session/tests/session_start_partitioned.phpt create mode 100644 ext/session/tests/session_start_partitioned_headers.phpt diff --git a/ext/session/php_session.h b/ext/session/php_session.h index 8a0d2ed27b868..e48ed4615297f 100644 --- a/ext/session/php_session.h +++ b/ext/session/php_session.h @@ -149,6 +149,7 @@ typedef struct _php_ps_globals { zend_string *cookie_samesite; bool cookie_secure; bool cookie_httponly; + bool cookie_partitioned; const ps_module *mod; const ps_module *default_mod; void *mod_data; diff --git a/ext/session/session.c b/ext/session/session.c index 33cc6cd4b7d16..35e4f9ad1e14e 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -898,6 +898,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("session.cookie_path", "/", PHP_INI_ALL, OnUpdateSessionStr, cookie_path, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cookie_domain", "", PHP_INI_ALL, OnUpdateSessionStr, cookie_domain, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.cookie_secure", "0", PHP_INI_ALL, OnUpdateSessionBool, cookie_secure, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN("session.cookie_partitioned","0", PHP_INI_ALL, OnUpdateSessionBool, cookie_partitioned, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0", PHP_INI_ALL, OnUpdateSessionBool, cookie_httponly, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cookie_samesite", "", PHP_INI_ALL, OnUpdateSessionStr, cookie_samesite, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateSessionBool, use_cookies, php_ps_globals, ps_globals) @@ -1388,6 +1389,12 @@ static zend_result php_session_send_cookie(void) return FAILURE; } + /* Check for invalid settings combinations */ + if (UNEXPECTED(PS(cookie_partitioned) && !PS(cookie_secure))) { + php_error_docref(NULL, E_WARNING, "Partitioned session cookie cannot be used without also configuring it as secure"); + return FAILURE; + } + ZEND_ASSERT(strpbrk(ZSTR_VAL(PS(session_name)), SESSION_FORBIDDEN_CHARS) == NULL); /* URL encode id because it might be user supplied */ @@ -1432,6 +1439,10 @@ static zend_result php_session_send_cookie(void) smart_str_appends(&ncookie, COOKIE_SECURE); } + if (PS(cookie_partitioned)) { + smart_str_appends(&ncookie, COOKIE_PARTITIONED); + } + if (PS(cookie_httponly)) { smart_str_appends(&ncookie, COOKIE_HTTPONLY); } @@ -1725,6 +1736,7 @@ PHP_FUNCTION(session_set_cookie_params) zend_string *lifetime = NULL, *path = NULL, *domain = NULL, *samesite = NULL; bool secure = 0, secure_null = 1; bool httponly = 0, httponly_null = 1; + bool partitioned = false, partitioned_null = true; zend_string *ini_name; zend_result result; int found = 0; @@ -1792,6 +1804,10 @@ PHP_FUNCTION(session_set_cookie_params) secure = zval_is_true(value); secure_null = 0; found++; + } else if (zend_string_equals_literal_ci(key, "partitioned")) { + partitioned = zval_is_true(value); + partitioned_null = 0; + found++; } else if (zend_string_equals_literal_ci(key, "httponly")) { httponly = zval_is_true(value); httponly_null = 0; @@ -1856,6 +1872,15 @@ PHP_FUNCTION(session_set_cookie_params) goto cleanup; } } + if (!partitioned_null) { + ini_name = ZSTR_INIT_LITERAL("session.cookie_partitioned", 0); + result = zend_alter_ini_entry_chars(ini_name, partitioned ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); + zend_string_release_ex(ini_name, 0); + if (result == FAILURE) { + RETVAL_FALSE; + goto cleanup; + } + } if (!httponly_null) { ini_name = ZSTR_INIT_LITERAL("session.cookie_httponly", 0); result = zend_alter_ini_entry_chars(ini_name, httponly ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); @@ -1898,6 +1923,7 @@ PHP_FUNCTION(session_get_cookie_params) add_assoc_str(return_value, "path", zend_string_dup(PS(cookie_path), false)); add_assoc_str(return_value, "domain", zend_string_dup(PS(cookie_domain), false)); add_assoc_bool(return_value, "secure", PS(cookie_secure)); + add_assoc_bool(return_value, "partitioned", PS(cookie_partitioned)); add_assoc_bool(return_value, "httponly", PS(cookie_httponly)); add_assoc_str(return_value, "samesite", zend_string_dup(PS(cookie_samesite), false)); } diff --git a/ext/session/tests/session_get_cookie_params_basic.phpt b/ext/session/tests/session_get_cookie_params_basic.phpt index 65b020d30b9ec..1c7cdf189fc9d 100644 --- a/ext/session/tests/session_get_cookie_params_basic.phpt +++ b/ext/session/tests/session_get_cookie_params_basic.phpt @@ -9,6 +9,7 @@ session.cookie_lifetime=0 session.cookie_path="/" session.cookie_domain="" session.cookie_secure=0 +session.cookie_partitioned=0 session.cookie_httponly=0 session.cookie_samesite="" --FILE-- @@ -31,13 +32,17 @@ var_dump(session_set_cookie_params([ "httponly" => FALSE, "samesite" => "please"])); var_dump(session_get_cookie_params()); +var_dump(session_set_cookie_params([ + "secure" => TRUE, + "partitioned" => TRUE])); +var_dump(session_get_cookie_params()); echo "Done"; ob_end_flush(); ?> --EXPECTF-- *** Testing session_get_cookie_params() : basic functionality *** -array(6) { +array(7) { ["lifetime"]=> int(0) ["path"]=> @@ -46,13 +51,15 @@ array(6) { string(0) "" ["secure"]=> bool(false) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(false) ["samesite"]=> string(0) "" } bool(true) -array(6) { +array(7) { ["lifetime"]=> int(3600) ["path"]=> @@ -61,13 +68,15 @@ array(6) { string(4) "blah" ["secure"]=> bool(false) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(false) ["samesite"]=> string(0) "" } bool(true) -array(6) { +array(7) { ["lifetime"]=> int(%d) ["path"]=> @@ -76,13 +85,15 @@ array(6) { string(3) "foo" ["secure"]=> bool(true) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(true) ["samesite"]=> string(0) "" } bool(true) -array(6) { +array(7) { ["lifetime"]=> int(123) ["path"]=> @@ -91,6 +102,25 @@ array(6) { string(3) "baz" ["secure"]=> bool(false) + ["partitioned"]=> + bool(false) + ["httponly"]=> + bool(false) + ["samesite"]=> + string(6) "please" +} +bool(true) +array(7) { + ["lifetime"]=> + int(123) + ["path"]=> + string(4) "/bar" + ["domain"]=> + string(3) "baz" + ["secure"]=> + bool(true) + ["partitioned"]=> + bool(true) ["httponly"]=> bool(false) ["samesite"]=> diff --git a/ext/session/tests/session_get_cookie_params_variation1.phpt b/ext/session/tests/session_get_cookie_params_variation1.phpt index 4feb0d3ec81d1..7ce112c9b94dd 100644 --- a/ext/session/tests/session_get_cookie_params_variation1.phpt +++ b/ext/session/tests/session_get_cookie_params_variation1.phpt @@ -9,6 +9,7 @@ session.cookie_lifetime=0 session.cookie_path="/" session.cookie_domain="" session.cookie_secure=0 +session.cookie_partitioned=0 session.cookie_httponly=0 session.cookie_samesite="" --FILE-- @@ -31,13 +32,15 @@ ini_set("session.cookie_httponly", TRUE); var_dump(session_get_cookie_params()); ini_set("session.cookie_samesite", "foo"); var_dump(session_get_cookie_params()); +ini_set("session.cookie_partitioned", TRUE); +var_dump(session_get_cookie_params()); echo "Done"; ob_end_flush(); ?> --EXPECT-- *** Testing session_get_cookie_params() : variation *** -array(6) { +array(7) { ["lifetime"]=> int(0) ["path"]=> @@ -46,12 +49,14 @@ array(6) { string(0) "" ["secure"]=> bool(false) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(false) ["samesite"]=> string(0) "" } -array(6) { +array(7) { ["lifetime"]=> int(3600) ["path"]=> @@ -60,12 +65,14 @@ array(6) { string(0) "" ["secure"]=> bool(false) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(false) ["samesite"]=> string(0) "" } -array(6) { +array(7) { ["lifetime"]=> int(3600) ["path"]=> @@ -74,12 +81,14 @@ array(6) { string(0) "" ["secure"]=> bool(false) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(false) ["samesite"]=> string(0) "" } -array(6) { +array(7) { ["lifetime"]=> int(3600) ["path"]=> @@ -88,12 +97,14 @@ array(6) { string(3) "foo" ["secure"]=> bool(false) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(false) ["samesite"]=> string(0) "" } -array(6) { +array(7) { ["lifetime"]=> int(3600) ["path"]=> @@ -102,12 +113,14 @@ array(6) { string(3) "foo" ["secure"]=> bool(true) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(false) ["samesite"]=> string(0) "" } -array(6) { +array(7) { ["lifetime"]=> int(3600) ["path"]=> @@ -116,12 +129,30 @@ array(6) { string(3) "foo" ["secure"]=> bool(true) + ["partitioned"]=> + bool(false) ["httponly"]=> bool(true) ["samesite"]=> string(0) "" } -array(6) { +array(7) { + ["lifetime"]=> + int(3600) + ["path"]=> + string(5) "/path" + ["domain"]=> + string(3) "foo" + ["secure"]=> + bool(true) + ["partitioned"]=> + bool(false) + ["httponly"]=> + bool(true) + ["samesite"]=> + string(3) "foo" +} +array(7) { ["lifetime"]=> int(3600) ["path"]=> @@ -130,6 +161,8 @@ array(6) { string(3) "foo" ["secure"]=> bool(true) + ["partitioned"]=> + bool(true) ["httponly"]=> bool(true) ["samesite"]=> diff --git a/ext/session/tests/session_start_partitioned.phpt b/ext/session/tests/session_start_partitioned.phpt new file mode 100644 index 0000000000000..c2c1b33ae074a --- /dev/null +++ b/ext/session/tests/session_start_partitioned.phpt @@ -0,0 +1,31 @@ +--TEST-- +session_start() with partitioned cookies +--INI-- +session.use_strict_mode=0 +session.save_handler=files +session.save_path= +session.cookie_secure=0 +session.cookie_partitioned=0 +--EXTENSIONS-- +session +--SKIPIF-- + +--FILE-- + true])); +var_dump(session_start(['cookie_partitioned' => true, 'cookie_secure' => false])); +var_dump(session_start(['cookie_partitioned' => true, 'cookie_secure' => true])); + +ob_end_flush(); + +?> +--EXPECTF-- +Warning: session_start(): Partitioned session cookie cannot be used without also configuring it as secure in %s on line %d +bool(false) + +Warning: session_start(): Partitioned session cookie cannot be used without also configuring it as secure in %s on line %d +bool(false) +bool(true) diff --git a/ext/session/tests/session_start_partitioned_headers.phpt b/ext/session/tests/session_start_partitioned_headers.phpt new file mode 100644 index 0000000000000..6fa3815aa85d0 --- /dev/null +++ b/ext/session/tests/session_start_partitioned_headers.phpt @@ -0,0 +1,13 @@ +--TEST-- +session_start() with partitioned cookies - header test +--EXTENSIONS-- +session +--FILE-- + true, "partitioned" => true]); +session_start(); +?> +--EXPECTHEADERS-- +Set-Cookie: PHPSESSID=12345; path=/; secure; Partitioned +--EXPECT-- diff --git a/php.ini-development b/php.ini-development index 6ef1f940b2f7e..2ee7adf198c3b 100644 --- a/php.ini-development +++ b/php.ini-development @@ -1324,6 +1324,9 @@ session.use_cookies = 1 ; https://php.net/session.cookie-secure ;session.cookie_secure = +; https://php.net/session.cookie-partitioned +;session.cookie_partitioned = 0 + ; This option forces PHP to fetch and use a cookie for storing and maintaining ; the session id. We encourage this operation as it's very helpful in combating ; session hijacking when not specifying and managing your own session id. It is diff --git a/php.ini-production b/php.ini-production index d1b25a34a487f..7377faeae08a5 100644 --- a/php.ini-production +++ b/php.ini-production @@ -1326,6 +1326,9 @@ session.use_cookies = 1 ; https://php.net/session.cookie-secure ;session.cookie_secure = +; https://php.net/session.cookie-partitioned +;session.cookie_partitioned = 0 + ; This option forces PHP to fetch and use a cookie for storing and maintaining ; the session id. We encourage this operation as it's very helpful in combating ; session hijacking when not specifying and managing your own session id. It is