ID: 43311 Comment by: yoy dot noneoff at dfgh dot net Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment:
http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs " ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... " keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. Previous Comments: ------------------------------------------------------------------------ [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch ------------------------------------------------------------------------ [2007-11-16 01:30:40] crrodriguez at suse dot de Description: ------------ The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the "reproduce code" it says. Reproduce code: --------------- <?php ini_set("memory_limit","200M"); setcookie("hi_fox", str_repeat("A",19999999)); ?> Expected result: ---------------- PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning "Cookie cannot store more than %d bytes of data" Actual result: -------------- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43311&edit=1