Fabrice Locher
Contributed by Fabrice Locher in #52002

Browsers like Google Chrome will phase out support for third-party cookies starting from midway through 2024. The alternative is called CHIPS, which is the acronym of "Cookies Having Independent Partitioned State".

Browsers with CHIPS cookie support allow a new attribute called Partitioned when creating a cookie with the Set-Cookie HTTP header:

1
Set-Cookie: cookie-name=cookie-value; SameSite=None; Secure; Path=/; Partitioned;

When the browser receives a cookie with the Partitioned attribute set, the cookie is stored using two keys, the host key and a new partition key. Consider this example that doesn't use CHIPS cookies:

  1. User visits https://example-1.com which embeds content from https://3rd-party.com (which in turn sets a cookie from https://3rd-party.com);
  2. User visits another site called https://example-2.com which also embeds content from https://3rd-party.com;
  3. The embedded content from https://example-2.com can access the cookie set on https://example-1.com.

This is because cookies are stored with a key (called host key) based on the host or domain name of the site that set them (in the above example, the key is 3rd-party.com).

When using CHIPS cookies, things work differently:

  1. User visits https://example-1.com which embeds content from https://3rd-party.com (which in turn sets a cookie from https://3rd-party.com including the Partitioned attribute);
  2. The cookie is stored using two keys: {("https://example-1.com"), ("3rd-party.com")} (the first one is the partition key and the second one is the host key);
  3. User visits another site called https://example-2.com which also embeds content from https://3rd-party.com;
  4. The embedded content from https://example-2.com cannot access the cookie set on https://example-1.com because the partitioned key (which is https://example-1.com) doesn't match.

In Symfony 6.4/7.0, we've added support for CHIPS cookies in the HttpFoundation component. In practice, cookies now include a partitioned flag that you can set when creating them:

1
2
3
4
5
6
7
8
9
10
use Symfony\Component\HttpFoundation\Cookie;

$cookie = new Cookie('cookie-name', 'cookie-value', '...', partitioned: true);

// or:
$cookie = Cookie::fromString('cookie-name=cookie-value; ...; Partitioned;');

// or:
$cookie = ...
$cookie->withPartitioned();

And you can also check if a cookie is a CHIPS cookie with this new method:

1
$isPartitioned = $cookie->isPartitioned();

Learn more about CHIPS cookies:

The handling of third-party cookies will change dramatically in the coming months. Thanks to the continuous Symfony updates, your applications can prepare in advance.

Published in #Living on the edge