2016-10-20 10:28 GMT+02:00 Yasuo Ohgaki <yohg...@ohgaki.net>: > Hi Stephen, > > On Thu, Oct 20, 2016 at 5:23 PM, Stephen Reay <php-li...@koalephant.com> > wrote: > > Please understand: *no* “solution" where header() loses the ability to > write any arbitrary header will be acceptable in my opinion. > > Thank you for feedback. > I'll include vote option for prohibiting 'Set-Cookie' for header*() > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Hi Yasuo,
same here, it's not acceptable to limit header and restrict `set_cookie`. Just think about all those frameworks that would have to specialcase setting headers now and have to use the cookie API then. If you want to protect the session cookie header, why not simply set it right before the first output? That'd make it also non-overrideable, but leaves header() intact. But I guess it's harder to implement.
