Hi all,

On Wed, Oct 19, 2016 at 1:34 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> On Wed, Oct 19, 2016 at 12:18 PM, Stephen Reay <php-li...@koalephant.com> 
> wrote:
>> I still have an issue with that. I believe the correct behaviour here is 
>> (assuming the `replace` argument to header() is honoured) what you’re 
>> seeing. Yes, it might be *unexpected* for new users, but its also *expected* 
>> by millions of current users/projects.
>> I would suggest perhaps a warning on the header() docs page, and perhaps an 
>> example to avoid the issue on the Session handling page.
>> Leaving it as-is, with improved docs means all functionality is *possible* 
>> with the right arguments.
>> Changing to your proposal means advanced use-cases are *impossible* with any 
>> arguments.
>> I realise you’re trying to remove WTF cases, but I don’t think removing 
>> advanced capabilities is the way to do that.
> Yes. Even framework developer(?) seems to have current behavior.
> In general, users shouldn't touch session ID. In case of user really
> want to modify session ID cookie, following could be done.
> <?php
> ob_start();
> session_start();
> header_remove('Set-Cookie');
> header('Set-Cookie: PHPSESSID=xxxx something');
> ?>
> Make header_remove() able to delete 'Set-Cookie' header. (Current behavior)
> Make header() able to send 'Set-Cookie' header. (Current behavior, but
> not remove session ID cookie)
> This allows users to send arbitrary session ID cookie when it is
> needed really needed, while avoiding accidental session ID cookie
> removal.
> What do you think?

Another idea for session ID cookie and Set-Cookie header protection.

Since we have setcookie() function, how about to have cookie
dedicated functions for cookie header manipulation.

I'm about to create new feature request as follows:
Protect session ID and other cookies from header(), header_remove()
header() removes any previously defined headers.
header('Set-Cookie: something') / header_remove() deletes session ID
and other Set-Cookie headers. Cookies should be protected from

Instead, create new cookie functions

cookie_set() - Set cookie header (setcookie() alias)
cookie_set_raw() - Set cookie header (setrawcookie alias)
cookie_custom() - Set cookie with custom style.
                           (The same as header(sprintf('Set-Cookie:
%s', something));
cookie_remove() - Remove all cookie header. $name parameter is cookie
name to be deleted.

Protect Set-Cookie headers from header() and header_remove()

This implementation is cleaner because core to session
dependency is not required. It is also good to have naming standard
confirming cookie function names. i.e. Cookie functions should be
named cookie_*() according to CODING_STANDARDS.


Yasuo Ohgaki

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to