2016-10-20 10:28 GMT+02:00 Yasuo Ohgaki <[email protected]>: > Hi Stephen, > > On Thu, Oct 20, 2016 at 5:23 PM, Stephen Reay <[email protected]> > wrote: > > Please understand: *no* “solution" where header() loses the ability to > write any arbitrary header will be acceptable in my opinion. > > Thank you for feedback. > I'll include vote option for prohibiting 'Set-Cookie' for header*() > > Regards, > > -- > Yasuo Ohgaki > [email protected] > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Hi Yasuo,
same here, it's not acceptable to limit header and restrict `set_cookie`. Just think about all those frameworks that would have to specialcase setting headers now and have to use the cookie API then. If you want to protect the session cookie header, why not simply set it right before the first output? That'd make it also non-overrideable, but leaves header() intact. But I guess it's harder to implement.
