Response: setCookie() supports the Partitioned (CHIPS) attribute

dg · dg · commit f5baefda6216 · 2026-06-02T02:28:50.000+02:00
Adds a $partitioned argument to setCookie(). When enabled it appends the
Partitioned attribute and forces Secure, which the browser requires for a
partitioned cookie. Like $sameSite, the argument lives only on Response, not on
the IResponse interface.
diff --git a/src/Http/Response.php b/src/Http/Response.php
@@ -237,6 +237,7 @@ public function setCookie(
 		?bool $secure = null,
 		?bool $httpOnly = null,
 		?string $sameSite = null,
+		bool $partitioned = false,
 	): static
 	{
 		self::checkHeaders();
@@ -250,8 +251,9 @@ public function setCookie(
 
 		$seconds = Helpers::expirationToSeconds($expire);
 		$sameSite ??= self::SameSiteLax;
-		$secure = $sameSite === self::SameSiteNone
-			? true // SameSite=None requires the Secure attribute, otherwise the browser rejects the cookie
+		// both SameSite=None and Partitioned are rejected by the browser without the Secure attribute
+		$secure = $sameSite === self::SameSiteNone || $partitioned
+			? true
 			: $secure ?? $this->cookieSecure;
 		// the value is raw-url-encoded the same way PHP reads it back from $_COOKIE;
 		// Max-Age takes precedence over expires (RFC 6265), expires is sent too for ancient clients
@@ -261,7 +263,8 @@ public function setCookie(
 			. (($domain = $domain ?? ($path ? '' : $this->cookieDomain)) === '' ? '' : '; domain=' . $domain)
 			. ($secure ? '; secure' : '')
 			. (($httpOnly ?? true) ? '; HttpOnly' : '')
-			. '; SameSite=' . $sameSite;
+			. '; SameSite=' . $sameSite
+			. ($partitioned ? '; Partitioned' : '');
 		header('Set-Cookie: ' . $cookie, replace: false);
 		return $this;
 	}
diff --git a/tests/Http/Response.setCookie.phpt b/tests/Http/Response.setCookie.phpt
@@ -109,6 +109,14 @@ $headers = array_values(array_diff(headers_list(), $old, ['Set-Cookie:']));
 Assert::same(['Set-Cookie: test=value; path=/; secure; HttpOnly; SameSite=None'], $headers);
 
 
+// Partitioned (CHIPS) adds the attribute and forces Secure
+$response = new Http\Response;
+$old = headers_list();
+$response->setCookie('test', 'value', null, sameSite: Http\IResponse::SameSiteNone, partitioned: true);
+$headers = array_values(array_diff(headers_list(), $old, ['Set-Cookie:']));
+Assert::same(['Set-Cookie: test=value; path=/; secure; HttpOnly; SameSite=None; Partitioned'], $headers);
+
+
 // integer 0 is deprecated, but kept as a session cookie for BC
 $response = new Http\Response;
 $old = headers_list();
