Contributed by Fabrice Locher
in #52002.

Browsers like Google Chrome will phase out support for third-party cookies
starting from midway through 2024. The alternative is called CHIPS, which is the
acronym of "Cookies Having Independent Partitioned State".
Browsers with CHIPS cookie support allow a new attribute called Partitioned
when creating a cookie with the Set-Cookie HTTP header:

Set-Cookie: cookie-name=cookie-value; SameSite=None; Secure; Path=/; Partitioned;

When the browser receives a cookie with the Partitioned attribute set, the
cookie is stored using two keys, the host key and a new partition key.
Consider this example that doesn't use CHIPS cookies:

1. User visits https://example-1.com which embeds content from https://3rd-party.com
   (which in turn sets a cookie from https://3rd-party.com);
2. User visits another site called https://example-2.com which also
   embeds content from https://3rd-party.com;
3. The embedded content from https://example-2.com can access the cookie set
   on https://example-1.com.

This is because cookies are stored with a key (called host key) based on the
host or domain name of the site that set them (in the above example, the key is
3rd-party.com).
When using CHIPS cookies, things work differently:

1. User visits https://example-1.com which embeds content from https://3rd-party.com
   (which in turn sets a cookie from https://3rd-party.com including the
   Partitioned attribute);
2. The cookie is stored using two keys: {("https://example-1.com"), ("3rd-party.com")}
   (the first one is the partition key and the second one is the host key);
3. User visits another site called https://example-2.com which also
   embeds content from https://3rd-party.com;
4. The embedded content from https://example-2.com cannot access the cookie
   set on https://example-1.com because the partitioned key (which is https://example-1.com)
   doesn't match.

In Symfony 6.4/7.0, we've added support for CHIPS cookies in the
HttpFoundation component. In practice, cookies now include a partitioned
flag that you can set when creating them:

use Symfony\Component\HttpFoundation\Cookie;

$cookie = new Cookie('cookie-name', 'cookie-value', '...', partitioned: true);

// or:
$cookie = Cookie::fromString('cookie-name=cookie-value; ...; Partitioned;');

// or:
$cookie = ...
$cookie->withPartitioned();

And you can also check if a cookie is a CHIPS cookie with this new method:

$isPartitioned = $cookie->isPartitioned();

Learn more about CHIPS cookies:

• MDN article about CHIPS cookies
• CHIPS Cookies spec by W3C Privacy Community Group

The handling of third-party cookies will change dramatically in the coming months.
Thanks to the continuous Symfony updates, your applications can prepare in advance.

Sponsor the Symfony project.