Skip to content

feat(http): add cookie config options to control unencrypted cookie discarding#2132

Open
rexpl wants to merge 3 commits into
tempestphp:3.xfrom
rexpl:fix/discard-unencrypted-cookies
Open

feat(http): add cookie config options to control unencrypted cookie discarding#2132
rexpl wants to merge 3 commits into
tempestphp:3.xfrom
rexpl:fix/discard-unencrypted-cookies

Conversation

@rexpl
Copy link
Copy Markdown

@rexpl rexpl commented May 21, 2026

I was surprised by the default Tempest behaviour of discarding any cookie it did not encrypt itself. Cookies from other legitimate services (ex: reverse proxy) would silently get discarded. Two new CookieConfig options allow developers to handle this: discardUnencryptedCookies to disable discarding entirely, and plaintextCookies to allowlist specific cookies by name.

Original behaviour is preserved, but can now be opted out (fully or partially).

@rexpl rexpl requested review from aidan-casey and brendt as code owners May 21, 2026 06:45
innocenzi
innocenzi requested changes May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@innocenzi innocenzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a few minor changes

Comment thread packages/http/src/Cookie/CookieConfig.php

final class CookieConfig
{
public function __construct(
Copy link
Copy Markdown
Member

@innocenzi innocenzi May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add docblocks to describe the functionality of each option?

Comment thread tests/Integration/Http/CookieHandlingTest.php Outdated

final class CookieHandlingTest extends FrameworkIntegrationTestCase
{
public function test_encrypted_cookies_are_kept_when_default(): void
Copy link
Copy Markdown
Member

@innocenzi innocenzi May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would appreciate using #[Test] for new tests instead of the method name prefix 🙏

Comment thread tests/Integration/Http/CookieHandlingTest.php Outdated
public function test_encrypted_cookies_are_kept_when_default(): void
{
try {
/** @var \Tempest\Cryptography\Encryption\Encrypter $encrypter */
Copy link
Copy Markdown
Member

@innocenzi innocenzi May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is needed, Container has @template

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026
edited
Loading

Benchmark Results

Comparison of fix/discard-unencrypted-cookies against 3.x (033e1cc714e03ecf6fc11c792efd8db1e76d7332).

Open to see the benchmark results
Benchmark Set Mem. Peak Time Variability
ContainerBench(benchRegisterClosureSingleton) - 6.402mb 0.00% 1.208μs -6.79% ±1.35% -5.70%
ViewRenderBench(benchPlainHtml) - 21.973mb 0.00% 438.045μs +5.02% ±1.51% -50.05%
ViewRenderBench(benchViewComponent) - 69.675mb 0.00% 3.697ms +35.61% ±3.45% +17.92%
DiscoveryScanBench(benchFullDiscoveryScan) - 24.596mb +0.02% 13.550ms -6.04% ±0.64% -60.39%

Generated by phpbench against commit 40ecf51

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@innocenzi innocenzi innocenzi requested changes

@brendt brendt Awaiting requested review from brendt brendt is a code owner

@aidan-casey aidan-casey Awaiting requested review from aidan-casey aidan-casey is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rexpl @innocenzi