TrialByFire Posted December 15, 2025 Share Posted December 15, 2025 I recently noticed the console error message: Cookie “__cf_bm” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute. The only cookie I'm using is being created by PHP Sessions. Does anybody know how to add this attribute going forward? Quote Link to comment https://forums.phpfreaks.com/topic/332411-php-session-cookie-any-way-to-add-%E2%80%9Cpartitioned%E2%80%9C-attribute/ Share on other sites More sharing options...
requinix Posted December 15, 2025 Share Posted December 15, 2025 If you're unlucky enough to be on PHP 8.5, support for Partitioned was added. Otherwise, besides manually setting the header yourself, I believe the cookie settings are still "vulnerable" to injection by way of the other settings. Like, you could set the path to be "/; Partitioned" and PHP wouldn't even give it a second thought. 1 Quote Link to comment https://forums.phpfreaks.com/topic/332411-php-session-cookie-any-way-to-add-%E2%80%9Cpartitioned%E2%80%9C-attribute/#findComment-1662004 Share on other sites More sharing options...
TrialByFire Posted December 15, 2025 Author Share Posted December 15, 2025 5 hours ago, requinix said: If you're unlucky enough to be on PHP 8.5, support for Partitioned was added. Otherwise, besides manually setting the header yourself, I believe the cookie settings are still "vulnerable" to injection by way of the other settings. Like, you could set the path to be "/; Partitioned" and PHP wouldn't even give it a second thought. I am on PHP 8.4. Any solution here? https://github.com/php/php-src/issues/12646 Quote Link to comment https://forums.phpfreaks.com/topic/332411-php-session-cookie-any-way-to-add-%E2%80%9Cpartitioned%E2%80%9C-attribute/#findComment-1662009 Share on other sites More sharing options...
requinix Posted December 16, 2025 Share Posted December 16, 2025 19 hours ago, TrialByFire said: Any solution here? https://github.com/php/php-src/issues/12646 Yup. Five solutions, in fact. Did you read the comments on that page? Quote Link to comment https://forums.phpfreaks.com/topic/332411-php-session-cookie-any-way-to-add-%E2%80%9Cpartitioned%E2%80%9C-attribute/#findComment-1662017 Share on other sites More sharing options...
gizmola Posted December 16, 2025 Share Posted December 16, 2025 On 12/15/2025 at 12:33 PM, TrialByFire said: I am on PHP 8.4. Any solution here? https://github.com/php/php-src/issues/12646 So here's one of the options that's incredibly easy: use Symfony's HttpFoundation component, which across the PHP world is one of the most used Component libraries: See here for a partial list. It provides a formal OOP interface to HTTP Requests and Responses, Cookies, sessions and anything else that people get from the primary cgi-bin superglobals. This can add value to any php based web app, but at minimum you could use it to handle setting partitioned cookies. It's as easy as adding to your project using composer composer require symfony/http-foundation creating your HTTP response object and using it's fluent setcookie method call. <?php use Symfony\Component\HttpFoundation\Cookie; $cookie = Cookie::create('foo') ->withValue('bar') ->withExpires(strtotime('Fri, 20-May-2011 15:25:52 GMT')) ->withDomain('.example.com') ->withSecure(true) ->withPartitioned(); I've found that if you don't have classes to handle Request and Response, you end up cobbling together something that is redundant and less well designed and tested, so the other classes included in the component are well worth looking into. More Documentation here. Quote Link to comment https://forums.phpfreaks.com/topic/332411-php-session-cookie-any-way-to-add-%E2%80%9Cpartitioned%E2%80%9C-attribute/#findComment-1662019 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.