[RFC] partitioned option for setcookie/setrawcookie and sessions

NEWS

@@ -6,6 +6,12 @@ PHP                                                                        NEWS
   . Implement #81724 (openssl_cms_encrypt only allows specific ciphers).
     (Jakub Zelenka)
 
+- Session:
+  . Added support for partitioned cookies. (nielsdos)
+
+- Standard:
+  . Added support for partitioned cookies. (nielsdos)
+
 14 Aug 2025, PHP 8.5.0beta1
 
 - Core:

UPGRADING

@@ -249,6 +249,11 @@ PHP 8.5 UPGRADE NOTES
     Pdo_Sqlite::EXPLAIN_MODE_PREPARED, Pdo_Sqlite::EXPLAIN_MODE_EXPLAIN,
     Pdo_Sqlite::EXPLAIN_MODE_EXPLAIN_QUERY_PLAN.
 
+- Session:
+  . session_set_cookie_params(), session_get_cookie_params(), and session_start()
+    now support partitioned cookies via the "partitioned" key.
+    RFC: https://wiki.php.net/rfc/CHIPS
+
 - SOAP:
   . Enumeration cases are now dumped in __getTypes().
   . Implemented request #61105:
@@ -275,6 +280,8 @@ PHP 8.5 UPGRADE NOTES
     "width_unit" and "height_unit" to indicate in which units the dimensions
     are expressed. These units are px by default. They are not necessarily
     the same (just to give one example: one may be cm and the other may be px).
+  . setcookie() and setrawcookie() now support the "partitioned" key.
+    RFC: https://wiki.php.net/rfc/CHIPS
 
 - XSL:
   . The $namespace argument of XSLTProcessor::getParameter(),

ext/session/php_session.h

@@ -149,6 +149,7 @@ typedef struct _php_ps_globals {
 	zend_string *cookie_samesite;
 	bool  cookie_secure;
 	bool  cookie_httponly;
+	bool  cookie_partitioned;
 	const ps_module *mod;
 	const ps_module *default_mod;
 	void *mod_data;

ext/session/session.c

@@ -886,30 +886,31 @@ static PHP_INI_MH(OnUpdateRefererCheck)
 }
 
 PHP_INI_BEGIN()
-	STD_PHP_INI_ENTRY("session.save_path",          "",          PHP_INI_ALL, OnUpdateSaveDir,       save_path,          php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.name",               "PHPSESSID", PHP_INI_ALL, OnUpdateName,          session_name,       php_ps_globals,    ps_globals)
-	PHP_INI_ENTRY("session.save_handler",           "files",     PHP_INI_ALL, OnUpdateSaveHandler)
-	STD_PHP_INI_BOOLEAN("session.auto_start",       "0",         PHP_INI_PERDIR, OnUpdateBool,       auto_start,         php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.gc_probability",     "1",         PHP_INI_ALL, OnUpdateSessionGcProbability,    gc_probability,     php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.gc_divisor",         "100",       PHP_INI_ALL, OnUpdateSessionDivisor,gc_divisor,         php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.gc_maxlifetime",     "1440",      PHP_INI_ALL, OnUpdateSessionLong,          gc_maxlifetime,     php_ps_globals,    ps_globals)
-	PHP_INI_ENTRY("session.serialize_handler",      "php",       PHP_INI_ALL, OnUpdateSerializer)
-	STD_PHP_INI_ENTRY("session.cookie_lifetime",    "0",         PHP_INI_ALL, OnUpdateCookieLifetime,cookie_lifetime,    php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.cookie_path",        "/",         PHP_INI_ALL, OnUpdateSessionStr, cookie_path,        php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.cookie_domain",      "",          PHP_INI_ALL, OnUpdateSessionStr, cookie_domain,      php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.cookie_secure",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_secure,      php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.cookie_httponly",  "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_httponly,    php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.cookie_samesite",    "",          PHP_INI_ALL, OnUpdateSessionStr, cookie_samesite,    php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_cookies,        php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1",         PHP_INI_ALL, OnUpdateUseOnlyCookies,   use_only_cookies,   php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_strict_mode",  "0",         PHP_INI_ALL, OnUpdateSessionBool,   use_strict_mode,    php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateRefererCheck, extern_referer_chk, php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.cache_limiter",      "nocache",   PHP_INI_ALL, OnUpdateSessionStr, cache_limiter,      php_ps_globals,    ps_globals)
-	STD_PHP_INI_ENTRY("session.cache_expire",       "180",       PHP_INI_ALL, OnUpdateSessionLong,   cache_expire,       php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_trans_sid",    "0",         PHP_INI_ALL, OnUpdateUseTransSid,   use_trans_sid,      php_ps_globals,    ps_globals)
-	PHP_INI_ENTRY("session.sid_length",             "32",        PHP_INI_ALL, OnUpdateSidLength)
-	PHP_INI_ENTRY("session.sid_bits_per_character", "4",         PHP_INI_ALL, OnUpdateSidBits)
-	STD_PHP_INI_BOOLEAN("session.lazy_write",       "1",         PHP_INI_ALL, OnUpdateSessionBool,    lazy_write,         php_ps_globals,    ps_globals)
+	STD_PHP_INI_ENTRY("session.save_path",            "",          PHP_INI_ALL,    OnUpdateSaveDir,              save_path,          php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.name",                 "PHPSESSID", PHP_INI_ALL,    OnUpdateName,                 session_name,       php_ps_globals, ps_globals)
+	PHP_INI_ENTRY("session.save_handler",             "files",     PHP_INI_ALL,    OnUpdateSaveHandler)
+	STD_PHP_INI_BOOLEAN("session.auto_start",         "0",         PHP_INI_PERDIR, OnUpdateBool,                 auto_start,         php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.gc_probability",       "1",         PHP_INI_ALL,    OnUpdateSessionGcProbability, gc_probability,     php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.gc_divisor",           "100",       PHP_INI_ALL,    OnUpdateSessionDivisor,       gc_divisor,         php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.gc_maxlifetime",       "1440",      PHP_INI_ALL,    OnUpdateSessionLong,          gc_maxlifetime,     php_ps_globals, ps_globals)
+	PHP_INI_ENTRY("session.serialize_handler",        "php",       PHP_INI_ALL,    OnUpdateSerializer)
+	STD_PHP_INI_ENTRY("session.cookie_lifetime",      "0",         PHP_INI_ALL,    OnUpdateCookieLifetime,       cookie_lifetime,    php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.cookie_path",          "/",         PHP_INI_ALL,    OnUpdateSessionStr,           cookie_path,        php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.cookie_domain",        "",          PHP_INI_ALL,    OnUpdateSessionStr,           cookie_domain,      php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_secure",      "0",         PHP_INI_ALL,    OnUpdateSessionBool,          cookie_secure,      php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_partitioned", "0",         PHP_INI_ALL,    OnUpdateSessionBool,          cookie_partitioned, php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_httponly",    "0",         PHP_INI_ALL,    OnUpdateSessionBool,          cookie_httponly,    php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.cookie_samesite",      "",          PHP_INI_ALL,    OnUpdateSessionStr,           cookie_samesite,    php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_cookies",        "1",         PHP_INI_ALL,    OnUpdateSessionBool,          use_cookies,        php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_only_cookies",   "1",         PHP_INI_ALL,    OnUpdateUseOnlyCookies,       use_only_cookies,   php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_strict_mode",    "0",         PHP_INI_ALL,    OnUpdateSessionBool,          use_strict_mode,    php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.referer_check",        "",          PHP_INI_ALL,    OnUpdateRefererCheck,         extern_referer_chk, php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.cache_limiter",        "nocache",   PHP_INI_ALL,    OnUpdateSessionStr,           cache_limiter,      php_ps_globals, ps_globals)
+	STD_PHP_INI_ENTRY("session.cache_expire",         "180",       PHP_INI_ALL,    OnUpdateSessionLong,          cache_expire,       php_ps_globals, ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_trans_sid",      "0",         PHP_INI_ALL,    OnUpdateUseTransSid,          use_trans_sid,      php_ps_globals, ps_globals)
+	PHP_INI_ENTRY("session.sid_length",               "32",        PHP_INI_ALL,    OnUpdateSidLength)
+	PHP_INI_ENTRY("session.sid_bits_per_character",   "4",         PHP_INI_ALL,    OnUpdateSidBits)
+	STD_PHP_INI_BOOLEAN("session.lazy_write",         "1",         PHP_INI_ALL,    OnUpdateSessionBool,          lazy_write,         php_ps_globals, ps_globals)
 
 	/* Upload progress */
 	STD_PHP_INI_BOOLEAN("session.upload_progress.enabled",
@@ -1362,6 +1363,12 @@ static zend_result php_session_send_cookie(void)
 		return FAILURE;
 	}
 
+	/* Check for invalid settings combinations */
+	if (UNEXPECTED(PS(cookie_partitioned) && !PS(cookie_secure))) {
+		php_error_docref(NULL, E_WARNING, "Partitioned session cookie cannot be used without also configuring it as secure");
+		return FAILURE;
+	}
+
 	ZEND_ASSERT(strpbrk(ZSTR_VAL(PS(session_name)), SESSION_FORBIDDEN_CHARS) == NULL);
 
 	/* URL encode id because it might be user supplied */
@@ -1406,6 +1413,10 @@ static zend_result php_session_send_cookie(void)
 		smart_str_appends(&ncookie, COOKIE_SECURE);
 	}
 
+	if (PS(cookie_partitioned)) {
+		smart_str_appends(&ncookie, COOKIE_PARTITIONED);
+	}
+
 	if (PS(cookie_httponly)) {
 		smart_str_appends(&ncookie, COOKIE_HTTPONLY);
 	}
@@ -1699,6 +1710,7 @@ PHP_FUNCTION(session_set_cookie_params)
 	zend_string *lifetime = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
 	bool secure = 0, secure_null = 1;
 	bool httponly = 0, httponly_null = 1;
+	bool partitioned = false, partitioned_null = true;
 	zend_string *ini_name;
 	zend_result result;
 	int found = 0;
@@ -1766,6 +1778,10 @@ PHP_FUNCTION(session_set_cookie_params)
 					secure = zval_is_true(value);
 					secure_null = 0;
 					found++;
+				} else if (zend_string_equals_literal_ci(key, "partitioned")) {
+					partitioned = zval_is_true(value);
+					partitioned_null = 0;
+					found++;
 				} else if (zend_string_equals_literal_ci(key, "httponly")) {
 					httponly = zval_is_true(value);
 					httponly_null = 0;
@@ -1830,6 +1846,15 @@ PHP_FUNCTION(session_set_cookie_params)
 			goto cleanup;
 		}
 	}
+	if (!partitioned_null) {
+		ini_name = ZSTR_INIT_LITERAL("session.cookie_partitioned", 0);
+		result = zend_alter_ini_entry_chars(ini_name, partitioned ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+		zend_string_release_ex(ini_name, 0);
+		if (result == FAILURE) {
+			RETVAL_FALSE;
+			goto cleanup;
+		}
+	}
 	if (!httponly_null) {
 		ini_name = ZSTR_INIT_LITERAL("session.cookie_httponly", 0);
 		result = zend_alter_ini_entry_chars(ini_name, httponly ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
@@ -1872,6 +1897,7 @@ PHP_FUNCTION(session_get_cookie_params)
 	add_assoc_str(return_value, "path", zend_string_dup(PS(cookie_path), false));
 	add_assoc_str(return_value, "domain", zend_string_dup(PS(cookie_domain), false));
 	add_assoc_bool(return_value, "secure", PS(cookie_secure));
+	add_assoc_bool(return_value, "partitioned", PS(cookie_partitioned));
 	add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
 	add_assoc_str(return_value, "samesite", zend_string_dup(PS(cookie_samesite), false));
 }

ext/session/tests/session_get_cookie_params_basic.phpt

@@ -9,6 +9,7 @@ session.cookie_lifetime=0
 session.cookie_path="/"
 session.cookie_domain=""
 session.cookie_secure=0
+session.cookie_partitioned=0
 session.cookie_httponly=0
 session.cookie_samesite=""
 --FILE--
@@ -31,13 +32,17 @@ var_dump(session_set_cookie_params([
   "httponly" => FALSE,
   "samesite" => "please"]));
 var_dump(session_get_cookie_params());
+var_dump(session_set_cookie_params([
+  "secure" => TRUE,
+  "partitioned" => TRUE]));
+var_dump(session_get_cookie_params());
 
 echo "Done";
 ob_end_flush();
 ?>
 --EXPECTF--
 *** Testing session_get_cookie_params() : basic functionality ***
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(0)
   ["path"]=>
@@ -46,13 +51,15 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -61,13 +68,15 @@ array(6) {
   string(4) "blah"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(%d)
   ["path"]=>
@@ -76,13 +85,15 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(true)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(123)
   ["path"]=>
@@ -91,6 +102,25 @@ array(6) {
   string(3) "baz"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
+  ["httponly"]=>
+  bool(false)
+  ["samesite"]=>
+  string(6) "please"
+}
+bool(true)
+array(7) {
+  ["lifetime"]=>
+  int(123)
+  ["path"]=>
+  string(4) "/bar"
+  ["domain"]=>
+  string(3) "baz"
+  ["secure"]=>
+  bool(true)
+  ["partitioned"]=>
+  bool(true)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>