New in Symfony 6.4: CHIPS Cookies

October 23, 2023 Published by Avatar of Javier Eguiluz Javier Eguiluz

Symfony 6.4 is backed by:

Private Packagist is a fast, reliable, and secure Composer repository for your private packages. It mirrors all your open-source dependencies for better availability and monitors them for security vulnerabilities.
As the creator of Symfony, SensioLabs supports companies using Symfony, with an offering encompassing consultancy, expertise, services, training, and technical assistance to ensure the success of web application development projects.
Fabrice Locher
Contributed by Fabrice Locher in #52002

Browsers like Google Chrome will phase out support for third-party cookies starting from midway through 2024. The alternative is called CHIPS, which is the acronym of "Cookies Having Independent Partitioned State".

Browsers with CHIPS cookie support allow a new attribute called Partitioned when creating a cookie with the Set-Cookie HTTP header:

1
Set-Cookie: cookie-name=cookie-value; SameSite=None; Secure; Path=/; Partitioned;

When the browser receives a cookie with the Partitioned attribute set, the cookie is stored using two keys, the host key and a new partition key. Consider this example that doesn't use CHIPS cookies:

  1. User visits https://example-1.com which embeds content from https://3rd-party.com (which in turn sets a cookie from https://3rd-party.com);
  2. User visits another site called https://example-2.com which also embeds content from https://3rd-party.com;
  3. The embedded content from https://example-2.com can access the cookie set on https://example-1.com.

This is because cookies are stored with a key (called host key) based on the host or domain name of the site that set them (in the above example, the key is 3rd-party.com).

When using CHIPS cookies, things work differently:

  1. User visits https://example-1.com which embeds content from https://3rd-party.com (which in turn sets a cookie from https://3rd-party.com including the Partitioned attribute);
  2. The cookie is stored using two keys: {("https://example-1.com"), ("3rd-party.com")} (the first one is the partition key and the second one is the host key);
  3. User visits another site called https://example-2.com which also embeds content from https://3rd-party.com;
  4. The embedded content from https://example-2.com cannot access the cookie set on https://example-1.com because the partitioned key (which is https://example-1.com) doesn't match.

In Symfony 6.4/7.0, we've added support for CHIPS cookies in the HttpFoundation component. In practice, cookies now include a partitioned flag that you can set when creating them:

1
2
3
4
5
6
7
8
9
10
use Symfony\Component\HttpFoundation\Cookie;

$cookie = new Cookie('cookie-name', 'cookie-value', '...', partitioned: true);

// or:
$cookie = Cookie::fromString('cookie-name=cookie-value; ...; Partitioned;');

// or:
$cookie = ...
$cookie->withPartitioned();

And you can also check if a cookie is a CHIPS cookie with this new method:

1
$isPartitioned = $cookie->isPartitioned();

Learn more about CHIPS cookies:

The handling of third-party cookies will change dramatically in the coming months. Thanks to the continuous Symfony updates, your applications can prepare in advance.

Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Émile Perron
Émile Perron said on Nov 13, 2023

Thanks for being on top of sneaky-yet-impactful changes like this!

Just started to create issues and PRs to get this implemented in more Symfony bundles 🙌

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.