Browsers like Google Chrome will phase out support for third-party cookies starting from midway through 2024. The alternative is called CHIPS, which is the acronym of "Cookies Having Independent Partitioned State".
Browsers with CHIPS cookie support allow a new attribute called Partitioned
when creating a cookie with the Set-Cookie
HTTP header:
1
Set-Cookie: cookie-name=cookie-value; SameSite=None; Secure; Path=/; Partitioned;
When the browser receives a cookie with the Partitioned
attribute set, the
cookie is stored using two keys, the host key and a new partition key.
Consider this example that doesn't use CHIPS cookies:
- User visits
https://example-1.com
which embeds content fromhttps://3rd-party.com
(which in turn sets a cookie fromhttps://3rd-party.com
); - User visits another site called
https://example-2.com
which also embeds content fromhttps://3rd-party.com
; - The embedded content from
https://example-2.com
can access the cookie set onhttps://example-1.com
.
This is because cookies are stored with a key (called host key) based on the
host or domain name of the site that set them (in the above example, the key is
3rd-party.com
).
When using CHIPS cookies, things work differently:
- User visits
https://example-1.com
which embeds content fromhttps://3rd-party.com
(which in turn sets a cookie fromhttps://3rd-party.com
including thePartitioned
attribute); - The cookie is stored using two keys:
{("https://example-1.com"), ("3rd-party.com")}
(the first one is the partition key and the second one is the host key); - User visits another site called
https://example-2.com
which also embeds content fromhttps://3rd-party.com
; - The embedded content from
https://example-2.com
cannot access the cookie set onhttps://example-1.com
because the partitioned key (which ishttps://example-1.com
) doesn't match.
In Symfony 6.4/7.0, we've added support for CHIPS cookies in the
HttpFoundation component. In practice, cookies now include a partitioned
flag that you can set when creating them:
1 2 3 4 5 6 7 8 9 10
use Symfony\Component\HttpFoundation\Cookie;
$cookie = new Cookie('cookie-name', 'cookie-value', '...', partitioned: true);
// or:
$cookie = Cookie::fromString('cookie-name=cookie-value; ...; Partitioned;');
// or:
$cookie = ...
$cookie->withPartitioned();
And you can also check if a cookie is a CHIPS cookie with this new method:
1
$isPartitioned = $cookie->isPartitioned();
Learn more about CHIPS cookies:
The handling of third-party cookies will change dramatically in the coming months. Thanks to the continuous Symfony updates, your applications can prepare in advance.
Thanks for being on top of sneaky-yet-impactful changes like this!
Just started to create issues and PRs to get this implemented in more Symfony bundles 🙌