New in Symfony 6.4: CHIPS Cookies

Contributed by
Fabrice Locher

in #52002.

Browsers like Google Chrome will phase out support for third-party cookies
starting from midway through 2024. The alternative is called CHIPS, which is the
acronym of „Cookies Having Independent Partitioned State“.

Browsers with CHIPS cookie support allow a new attribute called Partitioned
when creating a cookie with the Set-Cookie HTTP header:

Set-Cookie: cookie-name=cookie-value; SameSite=None; Secure; Path=/; Partitioned;

When the browser receives a cookie with the Partitioned attribute set, the
cookie is stored using two keys, the host key and a new partition key.
Consider this example that doesn’t use CHIPS cookies:

User visits https://example-1.com which embeds content from https://3rd-party.com
(which in turn sets a cookie from https://3rd-party.com);
User visits another site called https://example-2.com which also
embeds content from https://3rd-party.com;
The embedded content from https://example-2.com can access the cookie set
on https://example-1.com.

This is because cookies are stored with a key (called host key) based on the
host or domain name of the site that set them (in the above example, the key is
3rd-party.com).

When using CHIPS cookies, things work differently:

User visits https://example-1.com which embeds content from https://3rd-party.com
(which in turn sets a cookie from https://3rd-party.com including the
Partitioned attribute);
The cookie is stored using two keys: {(„https://example-1.com“), („3rd-party.com“)}
(the first one is the partition key and the second one is the host key);
User visits another site called https://example-2.com which also
embeds content from https://3rd-party.com;
The embedded content from https://example-2.com cannot access the cookie
set on https://example-1.com because the partitioned key (which is https://example-1.com)
doesn’t match.

In Symfony 6.4/7.0, we’ve added support for CHIPS cookies in the
HttpFoundation component. In practice, cookies now include a partitioned
flag that you can set when creating them:

use SymfonyComponentHttpFoundationCookie;

$cookie = new Cookie(‚cookie-name‘, ‚cookie-value‘, ‚…‘, partitioned: true);

// or:
$cookie = Cookie::fromString(‚cookie-name=cookie-value; …; Partitioned;‘);

// or:
$cookie = …
$cookie->withPartitioned();

And you can also check if a cookie is a CHIPS cookie with this new method:

$isPartitioned = $cookie->isPartitioned();

Learn more about CHIPS cookies:

MDN article about CHIPS cookies
CHIPS Cookies spec by W3C Privacy Community Group

The handling of third-party cookies will change dramatically in the coming months.
Thanks to the continuous Symfony updates, your applications can prepare in advance.

Sponsor the Symfony project.

Symfony Blog

Read More

Latest News

PHP-Releases

PHP 8.2.16 released!

PHP 8.3.3 released!

PHP 8.1.27 released!

Generated by Feedzy