(Apologies for the dupe, re-sending for the list.)
If the replace flag was fixed, isn’t this then just a case of making sure
userland sets replace to false if they want existing set-cookie headers
Removing the ability to write a custom Set-Cookie header introduces a bigger
problem than the current one, IMO.
> On 18 Oct 2016, at 14:31, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all,
> I understand why header() is made to remove all headers of the same
> name. This is needed in some cases, but it does not work well for some
> We need to decide what to do with
> There is 2 issues.
> - header() removes all headers of the same name including 'Set-Cookie'
> - header() ignores replace flag. (This one is easy to fix)
> Since header() enables 'replace flag' by default, it removes all
> 'Set-Cookie' headers sent previously by default. It can easily disturb
> security related cookies to work. i.e. Session ID cookie, Auto Login
> cookie. This bug would be very hard to find for normal users, too.
> Restoring older behavior (Removing only one header) cannot be a
> resolution because it can still disturb security related cookies.
> Possible resolutions:
> - Prohibit 'Set-Cookie' for header() and force users to use setcookie()
> - Mitigate by disabling replace flag by default. (This is not a good idea,
> Both resolution requires BC, but this is better to be fixed ASAP.
> Non-BC resolution could be:
> - "Ask users to use setcookie() always for 'Set-Cookie'".
> I would like to prohibit 'Set-Cookie' by header() because it may
> remove session ID cookie as well as auto login cookie, etc. If we
> leave released version as it is now, I would like to prohibit
> 'Set-Cookie' by header() in PHP 7.1.
> Problem with this may be that user cannot modify 'Set-Cookie' header
> line as user want.
> $ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020
> 05:38:43 GMT; path=/; domain=aaa");'
> PHP Warning: Cookie names cannot contain any of the following '=,;
> \t\r\n\013\014' in Command line code on line 1
> Yasuo Ohgaki
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php