Altered CookieJar behaviour to follow php setCookie #9548
Conversation
There was a problem hiding this comment.
We’ll need to preserve backward compatibility with passing a number of days if we’re changing this in 4.x, or people will upgrade and suddenly find their cookies expiring.
I think we should be safe to rely on $expiry < time() to check whether someone has passed a number of days or a timestamp. It’s unlikely someone is intentionally setting a cookie to expire in 1.5 billion days 😛
|
@kinglozzer makes a very good point about backward compatibility. Also, it turns out that the interface documentation for |
|
We could potentially do:
EDIT: Upon reflection I don't think a config option is a good idea, as it increases the change of bugs when using modules that either require this setting or can't work with it. One case I'd be marginally worried about is if someone has used "a million/billion days" or something as signifying "forever". The current date is about 1.592 billion; 1 billion is 9 sept 2001. Assuming anything less than today's timestamp is a relative date might cause bugs; perhaps we say anything <= 1,000,000,000 is treated as relative? The other case that might be a bit unclear is passing "0". That would probably need to be interpreted as We should update the docs to explain these cases. |
|
I'm happy to implement any of the above.
I agree, not supporting large numbers as an expression of "forever number of days" does have the slim potential of being a breaking change.
@sminnee sounds good. Just to be double sure, is that another way of saying what the php docs are saying? i.e
If we want to make this change with 4.x compatibility, can I propose we...
Note: |
|
This solution doesn't have comprehensive backwards compatibility. I've commented on this in the issue #5325 (comment) |
|
As long as we maintain backwards compatibility, I think it's fine to make this change in a minor and deprecate the existing usage.
Agreed. We can handle 0 the same for both "time" and "day" mode
I feel like we should leave the default as 90 for now.
This isn't necessary if you use in current Deprecation API.
See above
I really wonder if it's worth the extra API for this incredibly unlikely scenario.
You're welcome to just PR this for Sounds good to me. |
|
My only concern (where now I concur with @jakxnz's point from 2 days ago) is that any custom implementations of So to be clear, I think even this deprecation should be flagged |
|
I'm torn on this. I think the consistency with PHP is a good goal, and I'm in favour with the general intention. I think we can probably not change the interface (or the intention of the argument in the interface), support the new and old method, have some indication that the new "timestamp" method is the way it'll be in SS5, and ideally have some sort of deprecation notice about it. We can change it in SS5, but I'm not keen on doing that with some sort of deprecation guiding developers through the process. Otherwise, I'll be in favour of deprecating in SS5, and changing the SS6. And then banging the old drum about shorter major release cycles 😉 |
/me trembles ... I'm still stuck on SS 3.x. 😄 I'm all for progress, but that's why I'm always so super careful about using only well defined API's, not touching core and etc. The less dramatic the changes are, the easier it is to modernize. Iterating too quickly on major versions (or at least being too disruptive) can actually have the ironic effect of discouraging upgrades. |
|
I don't want to digress too much so I'll just say this: The idea with shorter major release cycles is that you have a much more palatable list of breaking changes to deal with. While you might be right, where some teams don't have a workflow that allows them to stay on top of more frequent major updates, I think the majority would be more accepting of a days work every 6 months or so to stay on top of changes, with the benefit of the SS codebase being a little nicer in terms of semantics and simplicity (like this PR aims to resolve). |
|
Absolutely @ScopeyNZ that's a sensible way to approach it. 😄 |
jakxnz
force-pushed
the
pulls/4/cookie-set-expiry-by-timestamp
branch
3 times, most recently
from
655a9e4 to
98a9750
Compare
|
Updated the PR description:
|
jakxnz
changed the title
jakxnz
force-pushed
the
pulls/4/cookie-set-expiry-by-timestamp
branch
from
98a9750 to
13c8bad
Compare
jakxnz
force-pushed
the
pulls/4/cookie-set-expiry-by-timestamp
branch
from
13c8bad to
25f56cf
Compare
|
Having different functionality like this if you switch implementations of an interface isn’t ideal, but I can’t see any way to introduce a deprecation cycle without ending up with that at some point. I wonder if we could fix the interface in 5.0 by adding a deprecation notice in this PR to The only drawback I can see is that there won’t actually be any way to fix the deprecation notice because core code will have to keep passing a number of days (for BC) until 5.0 is released. Again, I can’t see any way around that though even if we delay this until 5.0 or 6.0... |
|
This change also makes me nervous; mostly because of BC issues. Our The Whilst consistency with the underlying PHP APIs can be a worthwhile goal, I'm not sure that we need to be completely compatible with them for its own sake. I wouldn't use this as a justification for large disruption. There's a lot of work to improve cookies and I don't think this would be a change that should make it's way to 5.x because out cookie approach needs modernising. Other things that need addressing:
My point being that we shouldn't implement something painful for 4.x users when the likelihood is that in 5.x it won't even be a linear upgrade path |
|
I'd also point out that some of the confusion is likely coming from the fact that our implementation is effectively setting the The decision was likely made at the time because it's a more common use-case as a developer to want a cookie to expire in 30 days than it is to want a cookie to expire on 1st July 2020 12:34:03+1200 (conceptually speaking) |
There was a problem hiding this comment.
My view is that we shouldn't make this change. I don't think it provides any tangible value (sub day cookies can be set with some simple maths), it adds a changeable API where it's inferred that the expiry argument changes between expires and max-age on the cookie (where as before it was consistently max-age).
|
Here's a crazy idea (ready to be shot down instantly 😄): Could you change the interface to require a return type declaration so you can use chaining to define additional parameters? e.g. Laravel also uses the You could then (in future versions, e.g. public function set(
$name,
$value,
$expiry = 90,
$path = null,
$domain = null,
$secure = false,
$httpOnly = true
) : Cookie_Backend;That way you can use the extensibility of PHP to continue using the return type to then use more methods to add more functionality as needed. Thoughts? |
|
@patricknelson if there will be an effort to expand the I don't see enough clarity in the conversation for a pull request of this nature, so I'm going to close this. I have raised #9552 to request a "docs only" enhancement. |
#5325
Refactored
CookieJar::set()expiry convention to follow phpsetCookie()'s$expiresargument (https://www.php.net/manual/en/function.setcookie.php)The impact here is not insignificant. Because timestamp is relative, there's no meaningful default value to use, unless we use a relative value internally. The comments in the issue specifically suggest using the same arg type as php, so I chose to do that.The expected impact is low, the changes simply now allow users to supply
$expiryexpressed in days or a Unix timestampThe resulting internal behaviour is the same, but theCookie::set()API has changed to require a Unix timestamp.Also tweaked internal use of
CookieAuthenticationHandler::clearCookies()to not supplynullas$expiry