Hi All,
Just to make my earlier point of view crystal clear: As a purely userland party
and someone maintaining a PHP framework, I don’t think it’s acceptable to limit
which headers header()/header_remove() can operate on, particularly when the
problem you’re trying to ‘solve’ is simply incorrect use of the functions
available. It *is* possible to achieve any outcome desired with *correct* use
of the header, session and cookie functions (and assuming the $replace argument
to header() works correctly).
I still believe the way to solve this issue is with better information about
usage, not by removing existing functionality.
So, please do *not* consider this to be an acceptable solution.
Cheers
Stephen
> On 20 Oct 2016, at 13:58, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
>
> Hi Stas,
>
> I posted an an idea for preventing accidental cookie deletion.
> 'Set-Cookie' is a HTTP header, but provide dedicated functions for it. I
> pasted
> it with a little modification.
> What do you think?
>
> Bottom line is I would like to prevent lost session ID by header()
> in the future.
>
> Implement cookie_*() functions in 7.x, then prohibit 'Set-Cookie' for
> header() in 8.x
>
> On Thu, Oct 20, 2016 at 1:39 PM, Stanislav Malyshev <smalys...@gmail.com>
> wrote:
>>> There is 2 issues.
>>> - header() removes all headers of the same name including 'Set-Cookie'
>>> - header() ignores replace flag. (This one is easy to fix)
>>
>> We have the flag, so if it doesn't work it should be fixed. Also, one
>> should use setcookie() for cookies, usually.
>
>
> Another idea for session ID cookie and Set-Cookie header protection.
>
> Since we have setcookie() function, how about to have cookie
> dedicated functions for cookie header manipulation.
>
> I'm about to create new feature request as follows:
> ---------------------
> Protect session ID and other cookies from header(), header_remove()
> ---------------------
> header() removes any previously defined headers.
> header('Set-Cookie: something') / header_remove() deletes session ID
> and other Set-Cookie headers. Cookies should be protected from
> header()/header_remove().
>
> Instead, create new cookie functions
>
> cookie_set() - Set cookie header (setcookie() alias)
> cookie_set_raw() - Set cookie header (setrawcookie alias)
> cookie_custom() - Set cookie with custom style.
> (The same as header(sprintf('Set-Cookie:
> %s', $something));
> cookie_list() - Mostly the same as headers_list()
> cookie_remove([string $name]) - Mostly the same as header_remove()
> Remove cookie header. $name parameter is cookie name to be deleted.
>
> Protect Set-Cookie headers from header() and header_remove()
> ----------------------
>
> This implementation is cleaner because core to session
> dependency is not required. It is also good to have naming standard
> confirming cookie function names. i.e. Cookie functions should be
> named cookie_*() according to CODING_STANDARDS.
>
> --
> Yasuo Ohgaki
> yohg...@ohgaki.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
