Bug #17178: SetCookie: updated specs

Mon, 13 May 2002 05:44:23 -0700 

From:             [EMAIL PROTECTED]
Operating system: Any
PHP version:      4.1.2
PHP Bug Type:     HTTP related
Bug description:  SetCookie: updated specs

PHP seems to implement to original Cookie *proposal* by Netscape. However,
there are two newer *Standard* specifications by the IETF.

http://www.netscape.com/newsref/std/cookie_spec.html "Persistent Client
State -- HTTP Cookies"
http://www.ietf.org/rfc/rfc2109.txt "HTTP State Management Mechanism"
http://www.ietf.org/rfc/rfc2965.txt "HTTP State Management Mechanism"

Since RFC 2109 is already over 5 years old, I would recommend implementing
it over the by long deprecated Netscape specification. The major change is
that the Expire attribute is replaced with the Max-Age attribute,
eliminating the problem of time synchronization between client and server.
Of course, you can sent both attributes.

I would not implement RFC 2965 yet, since it defines the Set-Cookie2
header, which is possibly not widely supported yet.

Also, please read the security considerations. For example, about
spoofing:

   Proper application design can avoid spoofing attacks from related
   domains.  Consider:

      1. User agent makes request to victim.cracker.edu, gets back
         cookie session_id="1234" and sets the default domain
         victim.cracker.edu.

      2. User agent makes request to spoof.cracker.edu, gets back cookie
         session-id="1111", with Domain=".cracker.edu".

      3. User agent makes request to victim.cracker.edu again, and
         passes

         Cookie: $Version="1"; session_id="1234",
                 $Version="1"; session_id="1111"; $Domain=".cracker.edu"

         The server at victim.cracker.edu should detect that the second
         cookie was not one it originated by noticing that the Domain
         attribute is not for itself and ignore it.

-- 
Edit bug report at http://bugs.php.net/?id=17178&edit=1
-- 
Fixed in CVS:        http://bugs.php.net/fix.php?id=17178&r=fixedcvs
Fixed in release:    http://bugs.php.net/fix.php?id=17178&r=alreadyfixed
Need backtrace:      http://bugs.php.net/fix.php?id=17178&r=needtrace
Try newer version:   http://bugs.php.net/fix.php?id=17178&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=17178&r=support
Expected behavior:   http://bugs.php.net/fix.php?id=17178&r=notwrong
Not enough info:     http://bugs.php.net/fix.php?id=17178&r=notenoughinfo
Submitted twice:     http://bugs.php.net/fix.php?id=17178&r=submittedtwice
register_globals:    http://bugs.php.net/fix.php?id=17178&r=globals

Reply via email to