New in Symfony 6.4: CHIPS Cookies
Contributed by
Fabrice Locher
in #52002.
Browsers like Google Chrome will phase out support for third-party cookies
starting from midway through 2024. The alternative is called CHIPS, which is the
acronym of „Cookies Having Independent Partitioned State“.
Browsers with CHIPS cookie support allow a new attribute called Partitioned
when creating a cookie with the Set-Cookie HTTP header:
Set-Cookie: cookie-name=cookie-value; SameSite=None; Secure; Path=/; Partitioned;
When the browser receives a cookie with the Partitioned attribute set, the
cookie is stored using two keys, the host key and a new partition key.
Consider this example that doesn’t use CHIPS cookies:
User visits https://example-1.com which embeds content from https://3rd-party.com
(which in turn sets a cookie from https://3rd-party.com);
User visits another site called https://example-2.com which also
embeds content from https://3rd-party.com;
The embedded content from https://example-2.com can access the cookie set
on https://example-1.com.
This is because cookies are stored with a key (called host key) based on the
host or domain name of the site that set them (in the above example, the key is
3rd-party.com).
When using CHIPS cookies, things work differently:
User visits https://example-1.com which embeds content from https://3rd-party.com
(which in turn sets a cookie from https://3rd-party.com including the
Partitioned attribute);
The cookie is stored using two keys: {(„https://example-1.com“), („3rd-party.com“)}
(the first one is the partition key and the second one is the host key);
User visits another site called https://example-2.com which also
embeds content from https://3rd-party.com;
The embedded content from https://example-2.com cannot access the cookie
set on https://example-1.com because the partitioned key (which is https://example-1.com)
doesn’t match.
In Symfony 6.4/7.0, we’ve added support for CHIPS cookies in the
HttpFoundation component. In practice, cookies now include a partitioned
flag that you can set when creating them:
use SymfonyComponentHttpFoundationCookie;
$cookie = new Cookie(‚cookie-name‘, ‚cookie-value‘, ‚…‘, partitioned: true);
// or:
$cookie = Cookie::fromString(‚cookie-name=cookie-value; …; Partitioned;‘);
// or:
$cookie = …
$cookie->withPartitioned();
And you can also check if a cookie is a CHIPS cookie with this new method:
$isPartitioned = $cookie->isPartitioned();
Learn more about CHIPS cookies:
MDN article about CHIPS cookies
CHIPS Cookies spec by W3C Privacy Community Group
The handling of third-party cookies will change dramatically in the coming months.
Thanks to the continuous Symfony updates, your applications can prepare in advance.
Symfony Blog