partitioned option for setcookie/setrawcookie and sessions

RFC: https://wiki.php.net/rfc/CHIPS

Closes phpGH-12646.
Closes phpGH-12652.

Author: ndossche

NEWS

@@ -15,10 +15,14 @@ PHP                                                                        NEWS
   . Implement #81724 (openssl_cms_encrypt only allows specific ciphers).
     (Jakub Zelenka)
 
+- Session:
+  . Added support for partitioned cookies. (nielsdos)
+
 - Standard:
   . Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)
   . Passing integers outside the interval [0, 255] to chr() is now deprecated.
     (Girgias)
+  . Added support for partitioned cookies. (nielsdos)
 
 14 Aug 2025, PHP 8.5.0beta1
 

UPGRADING

@@ -253,6 +253,11 @@ PHP 8.5 UPGRADE NOTES
     Pdo_Sqlite::EXPLAIN_MODE_PREPARED, Pdo_Sqlite::EXPLAIN_MODE_EXPLAIN,
     Pdo_Sqlite::EXPLAIN_MODE_EXPLAIN_QUERY_PLAN.
 
+- Session:
+  . session_set_cookie_params(), session_get_cookie_params(), and session_start()
+    now support partitioned cookies via the "partitioned" key.
+    RFC: https://wiki.php.net/rfc/CHIPS
+
 - SOAP:
   . Enumeration cases are now dumped in __getTypes().
   . Implemented request #61105:
@@ -279,6 +284,8 @@ PHP 8.5 UPGRADE NOTES
     "width_unit" and "height_unit" to indicate in which units the dimensions
     are expressed. These units are px by default. They are not necessarily
     the same (just to give one example: one may be cm and the other may be px).
+  . setcookie() and setrawcookie() now support the "partitioned" key.
+    RFC: https://wiki.php.net/rfc/CHIPS
 
 - XSL:
   . The $namespace argument of XSLTProcessor::getParameter(),

ext/session/php_session.h

@@ -149,6 +149,7 @@ typedef struct _php_ps_globals {
 	zend_string *cookie_samesite;
 	bool  cookie_secure;
 	bool  cookie_httponly;
+	bool  cookie_partitioned;
 	const ps_module *mod;
 	const ps_module *default_mod;
 	void *mod_data;

ext/session/session.c

@@ -898,6 +898,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("session.cookie_path",        "/",         PHP_INI_ALL, OnUpdateSessionStr, cookie_path,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_domain",      "",          PHP_INI_ALL, OnUpdateSessionStr, cookie_domain,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_secure",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_secure,      php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_partitioned","0",        PHP_INI_ALL, OnUpdateSessionBool,   cookie_partitioned,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_httponly",  "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_httponly,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_samesite",    "",          PHP_INI_ALL, OnUpdateSessionStr, cookie_samesite,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_cookies,        php_ps_globals,    ps_globals)
@@ -1362,6 +1363,12 @@ static zend_result php_session_send_cookie(void)
 		return FAILURE;
 	}
 
+	/* Check for invalid settings combinations */
+	if (UNEXPECTED(PS(cookie_partitioned) && !PS(cookie_secure))) {
+		php_error_docref(NULL, E_WARNING, "Partitioned session cookie cannot be used without also configuring it as secure");
+		return FAILURE;
+	}
+
 	ZEND_ASSERT(strpbrk(ZSTR_VAL(PS(session_name)), SESSION_FORBIDDEN_CHARS) == NULL);
 
 	/* URL encode id because it might be user supplied */
@@ -1406,6 +1413,10 @@ static zend_result php_session_send_cookie(void)
 		smart_str_appends(&ncookie, COOKIE_SECURE);
 	}
 
+	if (PS(cookie_partitioned)) {
+		smart_str_appends(&ncookie, COOKIE_PARTITIONED);
+	}
+
 	if (PS(cookie_httponly)) {
 		smart_str_appends(&ncookie, COOKIE_HTTPONLY);
 	}
@@ -1699,6 +1710,7 @@ PHP_FUNCTION(session_set_cookie_params)
 	zend_string *lifetime = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
 	bool secure = 0, secure_null = 1;
 	bool httponly = 0, httponly_null = 1;
+	bool partitioned = false, partitioned_null = true;
 	zend_string *ini_name;
 	zend_result result;
 	int found = 0;
@@ -1766,6 +1778,10 @@ PHP_FUNCTION(session_set_cookie_params)
 					secure = zval_is_true(value);
 					secure_null = 0;
 					found++;
+				} else if (zend_string_equals_literal_ci(key, "partitioned")) {
+					partitioned = zval_is_true(value);
+					partitioned_null = 0;
+					found++;
 				} else if (zend_string_equals_literal_ci(key, "httponly")) {
 					httponly = zval_is_true(value);
 					httponly_null = 0;
@@ -1830,6 +1846,15 @@ PHP_FUNCTION(session_set_cookie_params)
 			goto cleanup;
 		}
 	}
+	if (!partitioned_null) {
+		ini_name = ZSTR_INIT_LITERAL("session.cookie_partitioned", 0);
+		result = zend_alter_ini_entry_chars(ini_name, partitioned ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+		zend_string_release_ex(ini_name, 0);
+		if (result == FAILURE) {
+			RETVAL_FALSE;
+			goto cleanup;
+		}
+	}
 	if (!httponly_null) {
 		ini_name = ZSTR_INIT_LITERAL("session.cookie_httponly", 0);
 		result = zend_alter_ini_entry_chars(ini_name, httponly ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
@@ -1872,6 +1897,7 @@ PHP_FUNCTION(session_get_cookie_params)
 	add_assoc_str(return_value, "path", zend_string_dup(PS(cookie_path), false));
 	add_assoc_str(return_value, "domain", zend_string_dup(PS(cookie_domain), false));
 	add_assoc_bool(return_value, "secure", PS(cookie_secure));
+	add_assoc_bool(return_value, "partitioned", PS(cookie_partitioned));
 	add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
 	add_assoc_str(return_value, "samesite", zend_string_dup(PS(cookie_samesite), false));
 }

ext/session/tests/session_get_cookie_params_basic.phpt

@@ -9,6 +9,7 @@ session.cookie_lifetime=0
 session.cookie_path="/"
 session.cookie_domain=""
 session.cookie_secure=0
+session.cookie_partitioned=0
 session.cookie_httponly=0
 session.cookie_samesite=""
 --FILE--
@@ -31,13 +32,17 @@ var_dump(session_set_cookie_params([
   "httponly" => FALSE,
   "samesite" => "please"]));
 var_dump(session_get_cookie_params());
+var_dump(session_set_cookie_params([
+  "secure" => TRUE,
+  "partitioned" => TRUE]));
+var_dump(session_get_cookie_params());
 
 echo "Done";
 ob_end_flush();
 ?>
 --EXPECTF--
 *** Testing session_get_cookie_params() : basic functionality ***
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(0)
   ["path"]=>
@@ -46,13 +51,15 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -61,13 +68,15 @@ array(6) {
   string(4) "blah"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(%d)
   ["path"]=>
@@ -76,13 +85,15 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(true)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(123)
   ["path"]=>
@@ -91,6 +102,25 @@ array(6) {
   string(3) "baz"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
+  ["httponly"]=>
+  bool(false)
+  ["samesite"]=>
+  string(6) "please"
+}
+bool(true)
+array(7) {
+  ["lifetime"]=>
+  int(123)
+  ["path"]=>
+  string(4) "/bar"
+  ["domain"]=>
+  string(3) "baz"
+  ["secure"]=>
+  bool(true)
+  ["partitioned"]=>
+  bool(true)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>

ext/session/tests/session_get_cookie_params_variation1.phpt

@@ -9,6 +9,7 @@ session.cookie_lifetime=0
 session.cookie_path="/"
 session.cookie_domain=""
 session.cookie_secure=0
+session.cookie_partitioned=0
 session.cookie_httponly=0
 session.cookie_samesite=""
 --FILE--
@@ -31,13 +32,15 @@ ini_set("session.cookie_httponly", TRUE);
 var_dump(session_get_cookie_params());
 ini_set("session.cookie_samesite", "foo");
 var_dump(session_get_cookie_params());
+ini_set("session.cookie_partitioned", TRUE);
+var_dump(session_get_cookie_params());
 
 echo "Done";
 ob_end_flush();
 ?>
 --EXPECT--
 *** Testing session_get_cookie_params() : variation ***
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(0)
   ["path"]=>
@@ -46,12 +49,14 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -60,12 +65,14 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -74,12 +81,14 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -88,12 +97,14 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -102,12 +113,14 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -116,12 +129,30 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(true)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
+  ["lifetime"]=>
+  int(3600)
+  ["path"]=>
+  string(5) "/path"
+  ["domain"]=>
+  string(3) "foo"
+  ["secure"]=>
+  bool(true)
+  ["partitioned"]=>
+  bool(false)
+  ["httponly"]=>
+  bool(true)
+  ["samesite"]=>
+  string(3) "foo"
+}
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -130,6 +161,8 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(true)
   ["httponly"]=>
   bool(true)
   ["samesite"]=>