Hi all,

On Tue, Oct 18, 2016 at 4:31 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> I understand why header() is made to remove all headers of the same
> name. This is needed in some cases, but it does not work well for some
> cases.
> We need to decide what to do with
> https://bugs.php.net/bug.php?id=72997
> There is 2 issues.
>   - header() removes all headers of the same name including 'Set-Cookie'
>   - header() ignores replace flag. (This one is easy to fix)
> Since header() enables 'replace flag' by default, it removes all
> 'Set-Cookie' headers sent previously by default. It can easily disturb
> security related cookies to work. i.e. Session ID cookie, Auto Login
> cookie. This bug would be very hard to find for normal users, too.
> Restoring older behavior (Removing only one header) cannot be a
> resolution because it can still disturb security related cookies.
> Possible resolutions:
>  - Prohibit 'Set-Cookie' for header() and force users to use setcookie()
>  - Mitigate by disabling replace flag by default. (This is not a good idea, 
> IMO)
> Both resolution requires BC, but this is better to be fixed ASAP.
> Non-BC resolution could be:
>   - "Ask users to use setcookie() always for 'Set-Cookie'".
> I would like to prohibit 'Set-Cookie' by header() because it may
> remove session ID cookie as well as auto login cookie, etc. If we
> leave released version as it is now, I would like to prohibit
> 'Set-Cookie' by header() in PHP 7.1.
> Problem with this may be that user cannot modify 'Set-Cookie' header
> line as user want.
> $ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020
> 05:38:43 GMT; path=/; domain=aaa");'
> PHP Warning:  Cookie names cannot contain any of the following '=,;
> \t\r\n\013\014' in Command line code on line 1
> Comments?

An idea for session ID protection.

Following code results in lost session always.

header('Set-Cookie: something');

header() function removes all header of the same name, e.g.
Set-Cookie, Expires, etc, by sapi_remove_header(). This could be very
hard to find the cause.

This risk can be removed w/o much BC. Only BC is when user is
intentionally trying to delete session ID cookie manually. This would
be very rare. We can add code that excludes session ID cookie in

To do that, we can search string like following
Set-Cookie: PHPSESSID=xxxxxxx

The only issue is we need session global, i.e. PS(session_name), at
least. It's not nice to have dependency from SAPI.c to session, but it
protects session ID from removed by users by mistake.

Any comments?


Yasuo Ohgaki

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to