Hi Stas, I posted an an idea for preventing accidental cookie deletion. 'Set-Cookie' is a HTTP header, but provide dedicated functions for it. I pasted it with a little modification. What do you think?
Bottom line is I would like to prevent lost session ID by header() in the future. Implement cookie_*() functions in 7.x, then prohibit 'Set-Cookie' for header() in 8.x On Thu, Oct 20, 2016 at 1:39 PM, Stanislav Malyshev <smalys...@gmail.com> wrote: >> There is 2 issues. >> - header() removes all headers of the same name including 'Set-Cookie' >> - header() ignores replace flag. (This one is easy to fix) > > We have the flag, so if it doesn't work it should be fixed. Also, one > should use setcookie() for cookies, usually. Another idea for session ID cookie and Set-Cookie header protection. Since we have setcookie() function, how about to have cookie dedicated functions for cookie header manipulation. I'm about to create new feature request as follows: --------------------- Protect session ID and other cookies from header(), header_remove() --------------------- header() removes any previously defined headers. header('Set-Cookie: something') / header_remove() deletes session ID and other Set-Cookie headers. Cookies should be protected from header()/header_remove(). Instead, create new cookie functions cookie_set() - Set cookie header (setcookie() alias) cookie_set_raw() - Set cookie header (setrawcookie alias) cookie_custom() - Set cookie with custom style. (The same as header(sprintf('Set-Cookie: %s', $something)); cookie_list() - Mostly the same as headers_list() cookie_remove([string $name]) - Mostly the same as header_remove() Remove cookie header. $name parameter is cookie name to be deleted. Protect Set-Cookie headers from header() and header_remove() ---------------------- This implementation is cleaner because core to session dependency is not required. It is also good to have naming standard confirming cookie function names. i.e. Cookie functions should be named cookie_*() according to CODING_STANDARDS. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php