Update UPGRADING wrt. samesite cookie RFC

Cf. <https://wiki.php.net/rfc/same-site-cookie>.

1 files changed, 17 insertions, 0 deletions

diff --git a/UPGRADING b/UPGRADING
index 16649bae75..b2ec6bcd0b 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -332,11 +332,23 @@ JSON:
     precedence over JSON_THROW_ON_ERROR.
     (RFC: https://wiki.php.net/rfc/json_throw_on_error)
 
+Session:
+  . session_set_cookie_params() now also supports the following signature:
+    session_set_cookie_params(array $options)
+    where $options is an associative array which may have any of the keys
+    "lifetime", "path", "domain", "secure", "httponly" and "samesite".
+    Accordingly, the return value of session_get_cookie_params() now also has an
+    element with the key "samesite".
+
 Standard:
   . debug_zval_dump() was changed to display recursive arrays and objects
     in the same way as var_dump(). Now, it doesn't display them twice.
   . array_push() and array_unshift() can now also be called with a single
     argument, which is particularly convenient wrt. the spread operator.
+  . setcookie() and setrawcookie() now also support the following signature:
+    set(raw)cookie(string $name, [string $value, [array $options]])
+    where $options is an associative array which may have any of the keys
+    "lifetime", "path", "domain", "secure", "httponly" and "samesite".
 
 PCRE:
   . preg_quote() now also escapes the '#' character.
@@ -507,6 +519,11 @@ Standard:
   . This INI directive has been removed. The value has already been ignored
     since PHP 5.3.0.
 
+- session.cookie_samesite
+  . New INI option to allow to set the SameSite directive for cookies. Defaults
+    to "" (empty string), so no SameSite directive is set. Can be set to "Lax"
+    or "Strict", which sets the respective SameSite directive.
+
 - syslog.facility
   - New INI to set syslog facility which specifies what type of program is
     logging the message. It is used only when error_log is set to syslog.