php · nielsdos · Nov 10, 2023 · Jul 14, 2025
@@ -149,6 +149,7 @@ typedef struct _php_ps_globals {
 	zend_string *cookie_samesite;
 	bool  cookie_secure;
 	bool  cookie_httponly;
+	bool  cookie_partitioned;
 	const ps_module *mod;
 	const ps_module *default_mod;
 	void *mod_data;

@@ -898,6 +898,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("session.cookie_path",        "/",         PHP_INI_ALL, OnUpdateSessionStr, cookie_path,        php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_domain",      "",          PHP_INI_ALL, OnUpdateSessionStr, cookie_domain,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_secure",    "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_secure,      php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.cookie_partitioned","0",        PHP_INI_ALL, OnUpdateSessionBool,   cookie_partitioned,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.cookie_httponly",  "0",         PHP_INI_ALL, OnUpdateSessionBool,   cookie_httponly,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cookie_samesite",    "",          PHP_INI_ALL, OnUpdateSessionStr, cookie_samesite,    php_ps_globals,    ps_globals)
 	STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         PHP_INI_ALL, OnUpdateSessionBool,   use_cookies,        php_ps_globals,    ps_globals)
@@ -1388,6 +1389,12 @@ static zend_result php_session_send_cookie(void)
 		return FAILURE;
 	}
 
+	/* Check for invalid settings combinations */
+	if (UNEXPECTED(PS(cookie_partitioned) && !PS(cookie_secure))) {
+		php_error_docref(NULL, E_WARNING, "Partitioned session cookie cannot be used without also configuring it as secure");
+		return FAILURE;
+	}
+
 	ZEND_ASSERT(strpbrk(ZSTR_VAL(PS(session_name)), SESSION_FORBIDDEN_CHARS) == NULL);
 
 	/* URL encode id because it might be user supplied */
@@ -1432,6 +1439,10 @@ static zend_result php_session_send_cookie(void)
 		smart_str_appends(&ncookie, COOKIE_SECURE);
 	}
 
+	if (PS(cookie_partitioned)) {
+		smart_str_appends(&ncookie, COOKIE_PARTITIONED);
+	}
+
 	if (PS(cookie_httponly)) {
 		smart_str_appends(&ncookie, COOKIE_HTTPONLY);
 	}
@@ -1725,6 +1736,7 @@ PHP_FUNCTION(session_set_cookie_params)
 	zend_string *lifetime = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
 	bool secure = 0, secure_null = 1;
 	bool httponly = 0, httponly_null = 1;
+	bool partitioned = false, partitioned_null = true;
 	zend_string *ini_name;
 	zend_result result;
 	int found = 0;
@@ -1792,6 +1804,10 @@ PHP_FUNCTION(session_set_cookie_params)
 					secure = zval_is_true(value);
 					secure_null = 0;
 					found++;
+				} else if (zend_string_equals_literal_ci(key, "partitioned")) {
+					partitioned = zval_is_true(value);
+					partitioned_null = 0;
+					found++;
 				} else if (zend_string_equals_literal_ci(key, "httponly")) {
 					httponly = zval_is_true(value);
 					httponly_null = 0;
@@ -1856,6 +1872,15 @@ PHP_FUNCTION(session_set_cookie_params)
 			goto cleanup;
 		}
 	}
+	if (!partitioned_null) {
+		ini_name = ZSTR_INIT_LITERAL("session.cookie_partitioned", 0);
+		result = zend_alter_ini_entry_chars(ini_name, partitioned ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+		zend_string_release_ex(ini_name, 0);
+		if (result == FAILURE) {
+			RETVAL_FALSE;
+			goto cleanup;
+		}
+	}
 	if (!httponly_null) {
 		ini_name = ZSTR_INIT_LITERAL("session.cookie_httponly", 0);
 		result = zend_alter_ini_entry_chars(ini_name, httponly ? "1" : "0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
@@ -1898,6 +1923,7 @@ PHP_FUNCTION(session_get_cookie_params)
 	add_assoc_str(return_value, "path", zend_string_dup(PS(cookie_path), false));
 	add_assoc_str(return_value, "domain", zend_string_dup(PS(cookie_domain), false));
 	add_assoc_bool(return_value, "secure", PS(cookie_secure));
+	add_assoc_bool(return_value, "partitioned", PS(cookie_partitioned));
 	add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
 	add_assoc_str(return_value, "samesite", zend_string_dup(PS(cookie_samesite), false));
 }

@@ -9,6 +9,7 @@ session.cookie_lifetime=0
 session.cookie_path="/"
 session.cookie_domain=""
 session.cookie_secure=0
+session.cookie_partitioned=0
 session.cookie_httponly=0
 session.cookie_samesite=""
 --FILE--
@@ -31,13 +32,17 @@ var_dump(session_set_cookie_params([
   "httponly" => FALSE,
   "samesite" => "please"]));
 var_dump(session_get_cookie_params());
+var_dump(session_set_cookie_params([
+  "secure" => TRUE,
+  "partitioned" => TRUE]));
+var_dump(session_get_cookie_params());
 
 echo "Done";
 ob_end_flush();
 ?>
 --EXPECTF--
 *** Testing session_get_cookie_params() : basic functionality ***
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(0)
   ["path"]=>
@@ -46,13 +51,15 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -61,13 +68,15 @@ array(6) {
   string(4) "blah"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(%d)
   ["path"]=>
@@ -76,13 +85,15 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(true)
   ["samesite"]=>
   string(0) ""
 }
 bool(true)
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(123)
   ["path"]=>
@@ -91,6 +102,25 @@ array(6) {
   string(3) "baz"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
+  ["httponly"]=>
+  bool(false)
+  ["samesite"]=>
+  string(6) "please"
+}
+bool(true)
+array(7) {
+  ["lifetime"]=>
+  int(123)
+  ["path"]=>
+  string(4) "/bar"
+  ["domain"]=>
+  string(3) "baz"
+  ["secure"]=>
+  bool(true)
+  ["partitioned"]=>
+  bool(true)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>

@@ -9,6 +9,7 @@ session.cookie_lifetime=0
 session.cookie_path="/"
 session.cookie_domain=""
 session.cookie_secure=0
+session.cookie_partitioned=0
 session.cookie_httponly=0
 session.cookie_samesite=""
 --FILE--
@@ -31,13 +32,15 @@ ini_set("session.cookie_httponly", TRUE);
 var_dump(session_get_cookie_params());
 ini_set("session.cookie_samesite", "foo");
 var_dump(session_get_cookie_params());
+ini_set("session.cookie_partitioned", TRUE);
+var_dump(session_get_cookie_params());
 
 echo "Done";
 ob_end_flush();
 ?>
 --EXPECT--
 *** Testing session_get_cookie_params() : variation ***
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(0)
   ["path"]=>
@@ -46,12 +49,14 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -60,12 +65,14 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -74,12 +81,14 @@ array(6) {
   string(0) ""
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -88,12 +97,14 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(false)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -102,12 +113,14 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(false)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -116,12 +129,30 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(false)
   ["httponly"]=>
   bool(true)
   ["samesite"]=>
   string(0) ""
 }
-array(6) {
+array(7) {
+  ["lifetime"]=>
+  int(3600)
+  ["path"]=>
+  string(5) "/path"
+  ["domain"]=>
+  string(3) "foo"
+  ["secure"]=>
+  bool(true)
+  ["partitioned"]=>
+  bool(false)
+  ["httponly"]=>
+  bool(true)
+  ["samesite"]=>
+  string(3) "foo"
+}
+array(7) {
   ["lifetime"]=>
   int(3600)
   ["path"]=>
@@ -130,6 +161,8 @@ array(6) {
   string(3) "foo"
   ["secure"]=>
   bool(true)
+  ["partitioned"]=>
+  bool(true)
   ["httponly"]=>
   bool(true)
   ["samesite"]=>

@@ -0,0 +1,31 @@
+--TEST--
+session_start() with partitioned cookies
+--INI--
+session.use_strict_mode=0
+session.save_handler=files
+session.save_path=
+session.cookie_secure=0
+session.cookie_partitioned=0
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+ob_start();
+
+var_dump(session_start(['cookie_partitioned' => true]));
+var_dump(session_start(['cookie_partitioned' => true, 'cookie_secure' => false]));
+var_dump(session_start(['cookie_partitioned' => true, 'cookie_secure' => true]));
+
+ob_end_flush();
+
+?>
+--EXPECTF--
+Warning: session_start(): Partitioned session cookie cannot be used without also configuring it as secure in %s on line %d
+bool(false)
+
+Warning: session_start(): Partitioned session cookie cannot be used without also configuring it as secure in %s on line %d
+bool(false)
+bool(true)
@@ -0,0 +1,13 @@
+--TEST--
+session_start() with partitioned cookies - header test
+--EXTENSIONS--
+session
+--FILE--
+<?php
+session_id('12345');
+session_set_cookie_params(["secure" => true, "partitioned" => true]);
+session_start();
+?>
+--EXPECTHEADERS--
+Set-Cookie: PHPSESSID=12345; path=/; secure; Partitioned
+--EXPECT--