Hi all, I understand why header() is made to remove all headers of the same name. This is needed in some cases, but it does not work well for some cases.
We need to decide what to do with https://bugs.php.net/bug.php?id=72997 There is 2 issues. - header() removes all headers of the same name including 'Set-Cookie' - header() ignores replace flag. (This one is easy to fix) Since header() enables 'replace flag' by default, it removes all 'Set-Cookie' headers sent previously by default. It can easily disturb security related cookies to work. i.e. Session ID cookie, Auto Login cookie. This bug would be very hard to find for normal users, too. Restoring older behavior (Removing only one header) cannot be a resolution because it can still disturb security related cookies. Possible resolutions: - Prohibit 'Set-Cookie' for header() and force users to use setcookie() - Mitigate by disabling replace flag by default. (This is not a good idea, IMO) Both resolution requires BC, but this is better to be fixed ASAP. Non-BC resolution could be: - "Ask users to use setcookie() always for 'Set-Cookie'". I would like to prohibit 'Set-Cookie' by header() because it may remove session ID cookie as well as auto login cookie, etc. If we leave released version as it is now, I would like to prohibit 'Set-Cookie' by header() in PHP 7.1. Problem with this may be that user cannot modify 'Set-Cookie' header line as user want. $ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020 05:38:43 GMT; path=/; domain=aaa");' PHP Warning: Cookie names cannot contain any of the following '=,; \t\r\n\013\014' in Command line code on line 1 Comments? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
